Project

General

Profile

Actions

Defect #41257

closed

Wrong link in password reset email

Added by Maria Nundahl 21 days ago. Updated 13 days ago.

Status:
Closed
Priority:
Normal
Assignee:
-
Category:
Accounts / authentication
Target version:
-
Start date:
Due date:
% Done:

0%

Estimated time:
Resolution:
Invalid
Affected version:

Description

Hi,

The link in the pasword reset email is not correct, it takes the user back to the page for entering email and an endles loop is created.
For details of Redmine Environment and testdata please see attached document.


Files

Actions #1

Updated by Holger Just 21 days ago

  • Category changed from Email notifications to Accounts / authentication
  • Status changed from New to Needs feedback

Please extract the details from the docx document. Add screenshots directly as image attachments to this issue and add textual information directly to the issue. The docx files is not really accessible unfortunately.

Actions #2

Updated by Maria Nundahl 21 days ago

We use the following Redmine set up

Problem:
A user is clicking on the reset password button and will receive the following page to enter an email:

The user receive the following email notification:

This link is supposed to take you to the password reset page - but it takes you back to the Lost Password page and you have to enter your email again…it will be an endless loop.
This is becoming a huge problem for us, can you please help?
We think this problem started sometimes in April, but we can not find any reason why.
I made a test with my Redmine user account just to check how it should work and when I click the link I got from Redmine to reset my password it worked fine.

I clicked the link and it took me to this page:

In our set up it takes you back to the email address page..

Actions #3

Updated by Holger Just 19 days ago

When clicking on the lost password link with a token, we validate the token, and if valid, save it in the current session and redirect the user to the lost password action without the token. Here, we check the session for the token and ask the user to set a new password. For most errors along the way (such as an invalid or expired token), we set flash error messages.

About the only way I can imagine that we accept a token and redirect to the lost_password page again to ask for the email address without any flash error would be that you have somehow misconfigured your sessions, resulting in the session cookie not to be stored and sent correctly. This could happen if you use multiple distinct hostnames with redirects or some component on your server blocks cookies.

Unfortunately, this is hard to debug remotely and you may need to check the various server components on your server on your own. Things to check for include:

  • Are you always using the exact same hostname? Is the hostname in the emails the same as the one you normally use to login to your Redmine?
  • Are you always using the same protocol (http vs. https)
  • Is there some server component (such as a webserver or proxy server or web firewall) which does not forward or block cookies?

In any case, make sure that the hostname and protocol configured in Administration -> Settings matches the hostname configured in your webserver.

Actions #4

Updated by Maria Nundahl 19 days ago

Did you get a chance to look at this? I added all details and images in text instead.

Actions #5

Updated by Maria Nundahl 19 days ago

Sorry, I missed your answer.
Thankyou. I will check with my technician to see if we can solve this.

I will get back to you with test results.

Actions #6

Updated by Maria Nundahl 13 days ago

Hi,

We managed to solve the issue. We had to change the protocol.
Thanks for your help!

Actions #7

Updated by Marius BĂLTEANU 13 days ago

  • Status changed from Needs feedback to Closed
  • Resolution set to Invalid

Thanks!

Actions

Also available in: Atom PDF