Bug #104214
open
Broken redirect to referrer after changing password
0%
Description
The problem has been described in #21943 already:
- You ask to reset your password, and click the link to enter new password twice
- You get a confirmation message everything is fine, you may now log in
- You do the login and get an "error message" telling you that the link you clicked is invalid and that you should repeat the reset password procedure
If you happen(ed) to click anywhere else in the website at this stage, you would see that you are actually properly authenticated but as a user you see that error message and contact your TYPO3 administrator instead.
Steps¶
0. Ensure your felogin plugin is configured to take "referrer" as first redirect option after successful login
1. Click on password reset link
2. Password reset form is presented. Here info:
3. Change is successful, it redirects to login page at the end of \TYPO3\CMS\FrontendLogin\Controller\PasswordRecoveryController::changePasswordAction()
4. After successful login, I'm redirected to the password change as it's part of the referer:
Files
Updated by Xavier Perseguers 4 days ago
- Related to Bug #21943: redirect to referer when changing password added
Updated by Xavier Perseguers 4 days ago
The actual problem is that the login form presented right after the password change contains the password recovery referrer:
It looks like that referrer is actually extracted from $_SERVER['HTTP_REFERER'] in that context, as part of \TYPO3\CMS\FrontendLogin\Redirect\RedirectHandler::getReferrerForLoginForm()
Unsure how to generically detect the URL is actually the form itself in password recovery context. I have the feeling that password recovery link is never logically supposed to be useful in the context of a possibly valid referrer for the login form...
Updated by Gerrit Code Review 3 days ago
- Status changed from New to Under Review
Patch set 1 for branch main of project Packages/TYPO3.CMS has been pushed to the review server.
It is available at https://review.typo3.org/c/Packages/TYPO3.CMS/+/84925
Updated by Xavier Perseguers 3 days ago
- Related to Bug #100772: Disabling of referer redirect via redirectReferrer flag is not persisted on login failure added
Updated by Torben Hansen 2 days ago
- Related to Bug #101581: felogin gives "1554994253: The link you clicked is not valid. Please repeat the forgot password procedure" on first login after password reset added
Updated by Gerrit Code Review 2 days ago
Patch set 2 for branch main of project Packages/TYPO3.CMS has been pushed to the review server.
It is available at https://review.typo3.org/c/Packages/TYPO3.CMS/+/84925
Updated by Gerrit Code Review 2 days ago
Patch set 3 for branch main of project Packages/TYPO3.CMS has been pushed to the review server.
It is available at https://review.typo3.org/c/Packages/TYPO3.CMS/+/84925