View Issue Details
ID | Project | Category | View Status | Date Submitted | Last Update |
---|---|---|---|---|---|
0009713 | mantisbt | authentication | public | 2008-10-20 04:17 | 2010-01-12 10:32 |
Reporter | schoenfeld | Assigned To | jreese | ||
Priority | high | Severity | crash | Reproducibility | always |
Status | closed | Resolution | fixed | ||
Product Version | 1.1.4 | ||||
Fixed in Version | 1.1.5 | ||||
Summary | 0009713: Users are unable to confirm registration | ||||
Description | If I add a new user, for example "blubb", and after that open the confirmation URL in my browser (after logging out from my previous mantis session) and I then try to set a password I get a message: Invalid form security token. Did you submit the form twice by accident? and are therefore unable to change the password. This effectively renders user registration unusable and is therefore a high severity. | ||||
Tags | No tags attached. | ||||
has duplicate | 0009718 | closed | jreese | Reset Password |
has duplicate | 0009722 | closed | vboctor | Reset Password Problem |
has duplicate | 0009764 | closed | jreese | New User registration password change fails! |
has duplicate | 0009797 | closed | jreese | User Creation: APPLICATION ERROR 2800 |
has duplicate | 0009822 | closed | jreese | Password reset, or new user password set |
related to | 0009692 | closed | jreese | Application error #2800 when resetting password |
The same problem here! Additionally, if mantis is currently in a session when opening the password-reset/account-registration link, the following warings are displayed: SYSTEM WARNING: Cannot modify header information - headers already sent by (output started at [xxx]/core/error_api.php:166) |
|
Sorry, I missed porting the 1.2.x fixes back to 1.1.x. This is fixed now in SVN 1.1.x r5700 and r5701. |
|
Can you say, when 1.1.5 will be distributed? I would like to avoid the effort of backporting r5701. |
|
Also needed: for SVN 1.1.x, r5702; for SVN trunk, r5703. |
|
If someone gets session id "XXX" and go to http://www.mantisbt.org/bugs/view?id=9713&session_id=XXX, then is session hijacked? |
|
Yes, although in current form, session hijacking was always possible through use of forged cookies, but there are currently no security risks for this, as no authentication information or state is yet stored in the session. However, I already have started work on another patch that will prevent against hijacking by tracking last IP address. For now though, hijacked sessions pose no security risks, simply because they are only used for storing CSRF tokens, in which case a hijacked session is of no benefit to an attacker. |
|
Certainly, session hijack is no benefit. By the way, verify.php 46L, I think following notice will occuer in L47. "Notice: A session had already been started - ignoring session_start() in XXX" because session had not been destoryed when the user had not authenticated. |
|
OK - Nothing I did in these notes worked. I am using windows vista test machine and running iis7 sp1 and apache 2.5x.. mysql 5.x.. Version 1.1.1 user registartion and password through email hash link works fine. Version 1.1.4 will not work. I tried debuging and replacing files from 1.1.1 to 1.1.4 but the developers changed a few things namely sessions.php. However, I signed up for this user account specially to let you all know I found a work around that will at least help those that cannot find a solution. Put a meta refresh (and javascript forward script) in the verify file and point it to account_page.php... For some reason the hash needs to reload for updates to take place and avoid Application error #2800. Here is the code I use: 1. IN THE BEGINNING OF FILE JUST BEFORE "<?PHP", ADD THE FOLLOWING: <META HTTP-EQUIV="REFRESH" CONTENT = "0; URL=account_page.php"> Note: Meta content num values are seconds. i.e. 0 = 0 seconds, 1 = 1 second so on.. Note2: Javascript num values are miliseconds. i.e. 100 = 1 second, 200 = 2 seconds and so on. Ok, I also added this code with echo response toward end of script. Better safe than sorry. 2. AT THE END OF THE FILE AND JUST BEFORE THE CLOSE PHP "?>", ADD THE FOLLOWING: echo ' <META HTTP-EQUIV="REFRESH" CONTENT = "1; URL=account_page.php"> '; Hope this helps. P.S. Developers, these are marked as resolved yet the problem still exists. Please reopen this ticket. |
|
I patched mantis to disable the "Did you submit the form twice by accident?" error-message. The session handling seems so buggy to me, that I think it was not a good decision to ship a release of mantis with it. :-( |
|
@tmatijas: this issue is already fixed in the development tree. There is no need to re-open this. We will try to get 1.1.5 released as soon as we can make sure that it does not have other bugs in it. |
|
Same problem. Here is what I've done to fix the problem: [code]$ svn diff -r5692:5723 https://mantisbt.svn.sourceforge.net/svnroot/mantisbt/branches/BRANCH_1_1_0/mantisbt > /tmp/5692to5723.diff I wanted to avoid revisions between 5724 and 5728 because they were only about localizations (I use only the english strings) and were bringing many changes (useless to fix this bug). Such commands are not easy to apply, so I hope Mantis team will soon provide 1.1.5 |
|
jreese: great to know, it will be fixed in a future version, just there is only a latest stable version at the download page, so no information for a simple user how to fix it. it took me a half an hour to search this information in a forum. maybe you should write this at the download page: 1) download svn |
|
MantisBT: master-1.1.x 85bb6130 2008-10-20 11:15 Details Diff |
Really fix 0009713: Allow session ID to be passed via form and forced at next page load. git-svn-id: http://mantisbt.svn.sourceforge.net/svnroot/mantisbt/branches/BRANCH_1_1_0@5702 <a class="text" href="/?p=mantisbt.git;a=object;h=f5dc347c">f5dc347c</a>-c33d-0410-90a0-b07cc1902cb9 |
Affected Issues 0009713 |
|
mod - core/session_api.php | Diff File | ||
mod - account_page.php | Diff File | ||
mod - verify.php | Diff File | ||
MantisBT: master be08bb89 2008-10-20 11:16 Details Diff |
Really fix 0009713: Allow session ID to be passed via form and forced at next page load. git-svn-id: http://mantisbt.svn.sourceforge.net/svnroot/mantisbt/trunk@5703 <a class="text" href="/?p=mantisbt.git;a=object;h=f5dc347c">f5dc347c</a>-c33d-0410-90a0-b07cc1902cb9 |
Affected Issues 0009713 |
|
mod - account_page.php | Diff File | ||
mod - core/session_api.php | Diff File | ||
mod - verify.php | Diff File | ||
MantisBT: master-1.1.x eb71dca0 2008-10-21 11:30 Details Diff |
Added code to help prevent session hijacking. Affects issue 0009713. git-svn-id: http://mantisbt.svn.sourceforge.net/svnroot/mantisbt/branches/BRANCH_1_1_0@5706 <a class="text" href="/?p=mantisbt.git;a=object;h=f5dc347c">f5dc347c</a>-c33d-0410-90a0-b07cc1902cb9 |
Affected Issues 0009713 |
|
mod - lang/strings_english.txt | Diff File | ||
mod - core/session_api.php | Diff File | ||
mod - core/constant_inc.php | Diff File | ||
MantisBT: master 49cc4590 2008-10-21 11:31 Details Diff |
Added code to help prevent session hijacking. Affects issue 0009713. git-svn-id: http://mantisbt.svn.sourceforge.net/svnroot/mantisbt/trunk@5707 <a class="text" href="/?p=mantisbt.git;a=object;h=f5dc347c">f5dc347c</a>-c33d-0410-90a0-b07cc1902cb9 |
Affected Issues 0009713 |
|
mod - lang/strings_english.txt | Diff File | ||
mod - core/session_api.php | Diff File | ||
mod - core/constant_inc.php | Diff File |