E107: Password reset is conflicting with "intelligent webmail" like outlook.com
The last couple of days I tested password reset.
And today I know one of the problems that is killing password reset.
The web-interface of Outlook.com is preloading a preview of the website and embedding it into the e-Mail-text.
And this preloading thing is killing the database-row in the tmp-database.
solution:
The link opens a website with a button and this button triggers the new pwd feature.
Second issue:
$rcode = crypt(($_SERVER['HTTP_USER_AGENT'] . serialize($pref). $clean_email . $datekey), e_TOKEN);
In $rcode there are signs like - / _ but later on this signs will be preg_replaced to protect from SQL injection.
A solution to this could be:
$rcode = e107::getUserSession()->generateRandomString( '############' );
Now you generate a clean Random string with only upper case and lower case letters of the alphabet.
simplythomasjay
All 5 comments
As for the first issue, I am not sure if this is something that should be fixed by e107. Outlook users should know that the preview functionality in that application is meant as preview, not as an actual working "browser".
As for the second issue, what do you think @CaMer0n?
Moc
on 24 Sep 2018
The first issue has to be fixed - it is important.
Users with normal Webmail-email-adress don't see a problem with password reset.
But users with a outlook.com adress has per default a feature activated that is "screengrabbing" the content of the linked website.
For example you embed a youtube-link into an e-mail and you send it to an outlook.com adress.
Then outlook.com show you the text of the e-mail plus a small site-preview of the website (inside of the main text of the email-message).
Same happen with the activation-link.
The "intelligent" outlook.com grabs the content of the link and while doing so it deletes the database-row in the tmp-table.
Next step the user clicks on the link but now it sees a window with "error - this is not a working activation link".
I have fixed this now with
https://somesite.com/fpw.php?previewAysqWmnEr as email-link.
And this link shows an activation site with a link on it
https://somesite.com/fpw.php?enabledAysqWmnEr
And the user has to actively click on this link and the next site shows the new password.
I hope this is clearer now.
This is some sort of a gaslighting-bug.
Because first up everywhere else is a bug - you are getting comleptely nuts with this bug.
simplythomasjay
on 24 Sep 2018
@simplythomasjay Thank you for bringing it to our attention. I believe a time-limit on the link might work better in this case. (rather than deleting the row immediately after use) .
CaMer0n
on 25 Sep 2018
@Moc @CaMer0n @simplythomasjay I am experiencing this same issue for users that are trying reset from hotmail as well. Is there a temp fix for this?
mostym
on 28 Feb 2019
Will try to get this fixed soon.
CaMer0n
on 28 Feb 2019
Related issues
Norwayman
路
3Comments
chory
路
4Comments
Evgura
路
3Comments
rica-carv
路
5Comments
rica-carv
路
6Comments
Most helpful comment
@simplythomasjay Thank you for bringing it to our attention. I believe a time-limit on the link might work better in this case. (rather than deleting the row immediately after use) .