Bug #22449
closedreset of feuser password fails when using 'Forgot your password' form with typo3 v4.3.x + ' felogin ' + ' kb_md5fepw '
0%
Description
When the ext 'kb_md5fepw' is configured to work with the login forms of 'felogin', (and the registration form of 'sr_feuser_register'), the password is md5 encrypted before being sent back to the database.
Now the new ' Forgot your password? ' form in ext ' felogin ' works as expected, ie it successfully sends back the new password to fe_user table but in plain text.
Here the lies problem; when a website fe user goes to login after they have submitted a password change the encrypted password being submitted by the 'felogin' form doesn't match the non encrypted password for that user that was inserted in plain text from the 'new/change password' form.
A quick fix for this is to md5 the submitted changed password in this file,noting that the new code checks if ' kb_md5fepw ' installed:
/typo3_src-4.3.2/typo3/sysext/felogin/pi1/class.tx_felogin_pi1.php
At line 269 change:
$newPass = $postData['password1'];
to
$newPass = t3lib_extMgm::isLoaded('kb_md5fepw')?md5($postData['password1']):$postData['password1'];
Please note this is only a workaround to have the 'Forgot your password?' form be aware of extenion ' kb_md5fepw ' being loaded and the need for the plain text password being submitted converted with md5 before updating to database.
Since ' kb_md5fepw ' is about encrypting the password on the client side before being sent back to the website then the better solution would be to make the actual subpart template in file /typo3_src-4.3.2/typo3/sysext/felogin/template.html work like the main subpart template works with ' kb_md5fepw ', and that is to check/modify field values upon form submit.
Also, there perhaps should be client side javascript checking the 'Forgot your password?' form fields password1 & password2 to see that the submitted value are:
- alpha numeric only
- at least 6 characters long
- and both password1 & password2 field values match
(issue imported from #M14101)
Files
Updated by Chris topher over 11 years ago
- Status changed from New to Closed
- Target version deleted (
0) - TYPO3 Version set to 4.3
In newer versions kb_md5fepw isnt's used any longer: "DEPRECATED: Use "saltedpasswords" and "rsaauth" extensions instead!"