mirror_php/moodle
1
0
Fork 0
mirror of https://github.com/moodle/moodle.git synced 2025-01-19 06:18:28 +01:00
Code Issues Projects Releases Wiki Activity

MDL-50803 login: Remove token from URL in forgot password process

Browse Source 
Store the token value in the session and redirect to self, thus
removing the token from the URL and eliminating the problem where
the token is exposed via the http referer header.
This commit is contained in:
Jake Dallimore 2016-08-05 10:34:22 +08:00 committed by Mr. Jenkins (CiBoT)
parent 753504fbe0
commit 7ceab0d993
1 changed files with 26 additions and 3 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

29
login/forgot_password.php
View File

@ -19,6 +19,14 @@
*
* Finds the user and calls the appropriate routine for their authentication type.
*
* There are several pathways to/through this page, summarised below:
* 1. User clicks the 'forgotten your username or password?' link on the login page.
* - No token is received, render the username/email search form.
* 2. User clicks the link in the forgot password email
* - Token received as GET param, store the token in session, redirect to self
* 3. Redirected from (2)
* - Fetch token from session, and continue to run the reset routine defined in 'core_login_process_password_set()'.
*
* @package core
* @subpackage auth
* @copyright 1999 onwards Martin Dougiamas http://dougiamas.com
@ -59,12 +67,27 @@ if (isloggedin() and !isguestuser()) {
redirect($CFG->wwwroot.'/index.php', get_string('loginalready'), 5);
}
// Fetch the token from the session, if present, and unset the session var immediately.
$tokeninsession = false;
if (!empty($SESSION->password_reset_token)) {
$token = $SESSION->password_reset_token;
unset($SESSION->password_reset_token);
$tokeninsession = true;
}
if (empty($token)) {
// This is a new password reset request.
// Process the request; identify the user & send confirmation email.
core_login_process_password_reset_request();
} else {
// User clicked on confirmation link in email message
// validate the token & set new password
core_login_process_password_set($token);
// A token has been found, but not in the session, and not from a form post.
// This must be the user following the original rest link, so store the reset token in the session and redirect to self.
// The session var is intentionally used only during the lifespan of one request (the redirect) and is unset above.
if (!$tokeninsession && $_SERVER['REQUEST_METHOD'] === 'GET') {
$SESSION->password_reset_token = $token;
redirect($CFG->wwwroot . '/login/forgot_password.php');
} else {
// Continue with the password reset process.
core_login_process_password_set($token);
}
}