View Issue Details

IDProjectCategoryView StatusLast Update
0014387mantisbtbugtrackerpublic2014-09-23 18:05
ReporterCryas Assigned Todregad  
PrioritynormalSeverityminorReproducibilityalways
Status closedResolutionfixed 
Product Version1.2.10 
Target Version1.2.12Fixed in Version1.2.12 
Summary0014387: $g_max_failed_login_count Enabled Prevents User from logging after passwd reset
Description

Myself and customer of mine had this issue. I enabled $g_max_failed_login_count and all appeared well, however a customer of mine required a passwd reset. Once done the email was received, followed, and the new passwd created. But when he attempted to use it the site disabled the login.

I set $g_max_failed_login_count = OFF; and everything worked properly again.

I tried this myself, no failed passwd attempts, and got the same result.

Steps To Reproduce

$g_max_failed_login_count = ON; // If not enabled already
Save.

Logout.
Reset Password through Tool.
Enter Name and Email.
Receive email, follow link.
"Verify" user and enter in new passwd and confirm.
Proceed upon confirmation.
Login with Username and New passwd.
Blocked.

TagsNo tags attached.

Relationships

related to 0007680 closedvboctor Successful Sign up should set login count to 1 
related to 0015721 closedgrangeway Functionality to consider porting to master-2.0.x 

Activities

dregad

dregad

2012-06-13 05:38

developer   ~0032089

The described behavior can be reproduced in current 1.2.x dev head.

Apparently the account verification code is resetting the failed login count to 1 instead of zero.

Please note that $g_max_failed_login_count should be either OFF, or a numeric value indicating how many failed attempts are authorized. If you set it to ON as in your example, you are effectively allowing a single error before disabling the account. So as a workaround, I suggest you set it to 2 or more.

grangeway

grangeway

2013-04-05 17:56

reporter   ~0036145

Marking as 'acknowledged' not resolved/closed to track that change gets ported to master-2.0.x branch

Related Changesets

MantisBT: master c10e49b8

2012-06-12 22:45

dregad


Details Diff
Fix verify.php bumping failed count instead of login count

This prevented admins to unlock a user's account by resetting their
password when $g_max_failed_login_count = 1.

See commit d306af51746bdb781d3a721d7af718eae34ffe5d

Fixes 0014387
Affected Issues
0014387
mod - verify.php Diff File

MantisBT: master-1.2.x f921d55d

2012-06-12 22:45

dregad


Details Diff
Fix verify.php bumping failed count instead of login count

This prevented admins to unlock a user's account by resetting their
password when $g_max_failed_login_count = 1.

See commit d306af51746bdb781d3a721d7af718eae34ffe5d

Fixes 0014387
Affected Issues
0014387
mod - verify.php Diff File