confirmation links don't expire #37

New Issue

Closed

opened 2019-06-10 09:41:34 +00:00 by b3yond · 2 comments

b3yond commented 2019-06-10 09:41:34 +00:00

Author: @b3yond Posted at: 16.09.2018 14:25

confirmation links don't expire yet. This means you can login without a password, if you find the confirmation link that created the account; works only if the frontend has not been restarted since then.

Steps to Reproduce:

1. register account
2. click on confirmation link once
3. click on confirmation link a second time

Expected Behavior:

The first confirmation link redirects to the settings page, the second time to click on the link redirects to index with the error message "account already exists."

Actual Behavior:

Every time you click on the confirmation link you get redirected to the settings page. Also, a second account for the same city is registered.

Author: @b3yond Posted at: 16.09.2018 14:25 confirmation links don't expire yet. This means you can login without a password, if you find the confirmation link that created the account; works only if the frontend has not been restarted since then. ### Steps to Reproduce: 1. register account 2. click on confirmation link once 3. click on confirmation link a second time ### Expected Behavior: The first confirmation link redirects to the settings page, the second time to click on the link redirects to index with the error message "account already exists." ### Actual Behavior: Every time you click on the confirmation link you get redirected to the settings page. Also, a second account for the same city is registered.

b3yond added the

security

label 2019-06-10 09:41:34 +00:00

b3yond closed this issue 2019-06-10 09:41:34 +00:00

b3yond commented 2019-06-10 09:41:35 +00:00

Poster

Author: @b3yond Posted at: 28.10.2018 12:21

This is kind of nice when you forget your password, actually. because you can just press on the old link. But well, this kind of behavior should not be encouraged of course.

The problem is, it actually creates a new user when you click on the link again. we now have two ticketfrei users with the same city etc.

Author: @b3yond Posted at: 28.10.2018 12:21 This is kind of nice when you forget your password, actually. because you can just press on the old link. But well, this kind of behavior should not be encouraged of course. The problem is, it actually creates a new user when you click on the link again. we now have two ticketfrei users with the same city etc.

b3yond commented 2019-06-10 09:41:35 +00:00

Poster

Author: @b3yond Posted at: 11.01.2019 11:43

I'm a bit ashamed that we left a security issue open for 4 months.

Author: @b3yond Posted at: 11.01.2019 11:43 I'm a bit ashamed that we left a security issue open for 4 months.

Sign in to join this conversation.

No Branch/Tag Specified

Branches Tags

refactoring

stable2

master

stable3

feature/ping

coc

stable1

2.1.4

2.1.3

2.1.2

2.1.1

2.1.0

2.0.1

2.0.0

1.1

2.0.0beta

1.0

Labels

Clear labels   

bug

  

enhancement

  

good first issue

  

help wanted

  

security

  

wait for upstream

  

wait to be tested

No Label

bug

enhancement

good first issue

help wanted

security

wait for upstream

wait to be tested

Milestone

Clear milestone

No items

No Milestone

Assignees

Clear assignees

No Assignees

1 Participants

Notifications

Subscribe

Due Date

The due date is invalid or out of range. Please use the format 'yyyy-mm-dd'.

No due date set.

Dependencies

No dependencies set.

Reference: juergen/ticketfrei#37

There is no content yet.