View Issue Details

IDProjectCategoryView StatusLast Update
0009713mantisbtauthenticationpublic2010-01-12 10:32
Reporterschoenfeld Assigned Tojreese  
PriorityhighSeveritycrashReproducibilityalways
Status closedResolutionfixed 
Product Version1.1.4 
Fixed in Version1.1.5 
Summary0009713: Users are unable to confirm registration
Description

If I add a new user, for example "blubb", and after that open the confirmation URL in my browser (after logging out from my previous mantis session) and I then try to set a password I get a message:

Invalid form security token. Did you submit the form twice by accident?

and are therefore unable to change the password. This effectively renders user registration unusable and is therefore a high severity.

TagsNo tags attached.

Relationships

has duplicate 0009718 closedjreese Reset Password 
has duplicate 0009722 closedvboctor Reset Password Problem 
has duplicate 0009764 closedjreese New User registration password change fails! 
has duplicate 0009797 closedjreese User Creation: APPLICATION ERROR 2800 
has duplicate 0009822 closedjreese Password reset, or new user password set 
related to 0009692 closedjreese Application error #2800 when resetting password 

Activities

polzin

polzin

2008-10-20 06:42

reporter   ~0019594

The same problem here!
It can also be reproduced by "reset password".

Additionally, if mantis is currently in a session when opening the password-reset/account-registration link, the following warings are displayed:
"SYSTEM WARNING: session_destroy() [function.session-destroy]: Trying to destroy uninitialized session

SYSTEM WARNING: Cannot modify header information - headers already sent by (output started at [xxx]/core/error_api.php:166)
"

jreese

jreese

2008-10-20 10:20

reporter   ~0019598

Sorry, I missed porting the 1.2.x fixes back to 1.1.x. This is fixed now in SVN 1.1.x r5700 and r5701.

polzin

polzin

2008-10-20 11:05

reporter   ~0019600

Can you say, when 1.1.5 will be distributed? I would like to avoid the effort of backporting r5701.

jreese

jreese

2008-10-20 11:17

reporter   ~0019601

Also needed: for SVN 1.1.x, r5702; for SVN trunk, r5703.

seiji

seiji

2008-10-20 18:25

reporter   ~0019608

If someone gets session id "XXX" and go to http://www.mantisbt.org/bugs/view?id=9713&session_id=XXX, then is session hijacked?

jreese

jreese

2008-10-20 19:08

reporter   ~0019610

Yes, although in current form, session hijacking was always possible through use of forged cookies, but there are currently no security risks for this, as no authentication information or state is yet stored in the session. However, I already have started work on another patch that will prevent against hijacking by tracking last IP address. For now though, hijacked sessions pose no security risks, simply because they are only used for storing CSRF tokens, in which case a hijacked session is of no benefit to an attacker.

seiji

seiji

2008-10-20 23:53

reporter   ~0019612

Certainly, session hijack is no benefit.

By the way, verify.php 46L,
session_regenerate_id() -> session_regenerate_id();

I think following notice will occuer in L47.

"Notice: A session had already been started - ignoring session_start() in XXX"

because session had not been destoryed when the user had not authenticated.

tmatijas

tmatijas

2008-11-05 08:21

reporter   ~0019783

OK - Nothing I did in these notes worked. I am using windows vista test machine and running iis7 sp1 and apache 2.5x.. mysql 5.x..

Version 1.1.1 user registartion and password through email hash link works fine. Version 1.1.4 will not work. I tried debuging and replacing files from 1.1.1 to 1.1.4 but the developers changed a few things namely sessions.php.

However, I signed up for this user account specially to let you all know I found a work around that will at least help those that cannot find a solution.

Put a meta refresh (and javascript forward script) in the verify file and point it to account_page.php... For some reason the hash needs to reload for updates to take place and avoid Application error #2800.

Here is the code I use:

1. IN THE BEGINNING OF FILE JUST BEFORE "<?PHP", ADD THE FOLLOWING:

<META HTTP-EQUIV="REFRESH" CONTENT = "0; URL=account_page.php">
<SCRIPT LANGUAGE="JavaScript">
function redirect()
{
window.location = "account_page.php"
}
setTimeout("redirect();", 1)
</SCRIPT>

Note: Meta content num values are seconds. i.e. 0 = 0 seconds, 1 = 1 second so on.. Note2: Javascript num values are miliseconds. i.e. 100 = 1 second, 200 = 2 seconds and so on.

Ok, I also added this code with echo response toward end of script. Better safe than sorry.

2. AT THE END OF THE FILE AND JUST BEFORE THE CLOSE PHP "?>", ADD THE FOLLOWING:

echo ' <META HTTP-EQUIV="REFRESH" CONTENT = "1; URL=account_page.php"> ';
echo ' <SCRIPT LANGUAGE="JavaScript"> ';
echo ' function redirect() ';
echo ' { ';
echo ' window.location = "account_page.php" ';
echo ' } ';
echo ' setTimeout("redirect();", 100) ';
echo ' </SCRIPT> ';

Hope this helps.

P.S. Developers, these are marked as resolved yet the problem still exists. Please reopen this ticket.

polzin

polzin

2008-11-05 09:00

reporter   ~0019785

I patched mantis to disable the "Did you submit the form twice by accident?" error-message. The session handling seems so buggy to me, that I think it was not a good decision to ship a release of mantis with it. :-(

jreese

jreese

2008-11-07 10:46

reporter   ~0019802

@tmatijas: this issue is already fixed in the development tree. There is no need to re-open this.

We will try to get 1.1.5 released as soon as we can make sure that it does not have other bugs in it.

plegall

plegall

2008-11-13 05:05

reporter   ~0019865

Same problem.

Here is what I've done to fix the problem:

[code]$ svn diff -r5692:5723 https://mantisbt.svn.sourceforge.net/svnroot/mantisbt/branches/BRANCH_1_1_0/mantisbt > /tmp/5692to5723.diff
$ svn diff -r5729:HEAD https://mantisbt.svn.sourceforge.net/svnroot/mantisbt/branches/BRANCH_1_1_0/mantisbt > /tmp/5729toHEAD.diff
$ cd /path/to/my/mantis1.1.4
$ patch -p0 < /tmp/5692to5723.diff
$ patch -p0 < /tmp/5729toHEAD.diff[/code]

I wanted to avoid revisions between 5724 and 5728 because they were only about localizations (I use only the english strings) and were bringing many changes (useless to fix this bug).

Such commands are not easy to apply, so I hope Mantis team will soon provide 1.1.5

lolka_bolka

lolka_bolka

2008-11-17 11:43

reporter   ~0019917

jreese: great to know, it will be fixed in a future version, just there is only a latest stable version at the download page, so no information for a simple user how to fix it. it took me a half an hour to search this information in a forum.

maybe you should write this at the download page:

1) download svn
2) $ svn diff -r5692:5723 https://mantisbt.svn.sourceforge.net/svnroot/mantisbt/branches/BRANCH_1_1_0/mantisbt [^] > /tmp/5692to5723.diff
$ svn diff -r5729:HEAD https://mantisbt.svn.sourceforge.net/svnroot/mantisbt/branches/BRANCH_1_1_0/mantisbt [^] > /tmp/5729toHEAD.diff
$ cd /path/to/my/mantis1.1.4
$ patch -p0 < /tmp/5692to5723.diff
$ patch -p0 < /tmp/5729toHEAD.diff

Related Changesets

MantisBT: master-1.1.x 85bb6130

2008-10-20 11:15

jreese


Details Diff
Really fix 0009713: Allow session ID to be passed via form and forced at next page load.

git-svn-id: http://mantisbt.svn.sourceforge.net/svnroot/mantisbt/branches/BRANCH_1_1_0@5702 <a class="text" href="/?p=mantisbt.git;a=object;h=f5dc347c">f5dc347c</a>-c33d-0410-90a0-b07cc1902cb9
Affected Issues
0009713
mod - core/session_api.php Diff File
mod - account_page.php Diff File
mod - verify.php Diff File

MantisBT: master be08bb89

2008-10-20 11:16

jreese


Details Diff
Really fix 0009713: Allow session ID to be passed via form and forced at next page load.

git-svn-id: http://mantisbt.svn.sourceforge.net/svnroot/mantisbt/trunk@5703 <a class="text" href="/?p=mantisbt.git;a=object;h=f5dc347c">f5dc347c</a>-c33d-0410-90a0-b07cc1902cb9
Affected Issues
0009713
mod - account_page.php Diff File
mod - core/session_api.php Diff File
mod - verify.php Diff File

MantisBT: master-1.1.x eb71dca0

2008-10-21 11:30

jreese


Details Diff
Added code to help prevent session hijacking.
Affects issue 0009713.

git-svn-id: http://mantisbt.svn.sourceforge.net/svnroot/mantisbt/branches/BRANCH_1_1_0@5706 <a class="text" href="/?p=mantisbt.git;a=object;h=f5dc347c">f5dc347c</a>-c33d-0410-90a0-b07cc1902cb9
Affected Issues
0009713
mod - lang/strings_english.txt Diff File
mod - core/session_api.php Diff File
mod - core/constant_inc.php Diff File

MantisBT: master 49cc4590

2008-10-21 11:31

jreese


Details Diff
Added code to help prevent session hijacking.
Affects issue 0009713.

git-svn-id: http://mantisbt.svn.sourceforge.net/svnroot/mantisbt/trunk@5707 <a class="text" href="/?p=mantisbt.git;a=object;h=f5dc347c">f5dc347c</a>-c33d-0410-90a0-b07cc1902cb9
Affected Issues
0009713
mod - lang/strings_english.txt Diff File
mod - core/session_api.php Diff File
mod - core/constant_inc.php Diff File