Ecommerce software home
Shopping Cart Software Forum for Ecommerce Templates
 
Home | Profile | Register | Active Topics | Members | Search | FAQ
Username:
 Password:
Save Password
Forgot your Password?

Find us on Facebook Follow us on Twitter View our YouTube channel
Search our site
Buy now for ...
How it works
General help
 All Forums
 Technical
 ASP (Windows server) versions
 Password reset token missing for old accounts
Author « Topic »  

Dermontti
Advanced Member

USA
119 Posts

Posted - 03/13/2024 :  05:13:09  
Hello,

We have been using your platform for over 20 years.

We have just upgraded to the latest stable version on our dev site.

Old accounts have an issue with a password reset and a token is not generated. If the account is deleted and a new one made with exact same info, the reset token works like the second example below. New accounts also work.

Do you have any idea what the issue may be? We need this to work for old customers as well as new ones.

1.
We received a request to reset your password for your account at
https://192.168.2.34:444/

Please click on the link below to reset your password.
https://192.168.2.34:444/clientlogin.asp?rst=ABC123@domain.com&rsk= <=== no token

If you received this email in error you need take no action.


We received a request to reset your password for your account at
https://192.168.2.34:444/

Please click on the link below to reset your password.
https://192.168.2.34:444/clientlogin.asp?rst=ABC123@gmail.com&rsk=f22b3514f479e362ad94e2adb87f7f84

If you received this email in error you need take no action.

Dermontti
Advanced Member

USA
119 Posts
Posted - 03/13/2024 :  06:49:07  
I found that we added our own hashed password column to the database many years ago and most accounts had the clPW field blank.

I added the below logic and it pulls one of the passwords with clPW as prio and properly creates the RSK token.

if NOT dofloodcontrol then
' logic to be able to reset old passwords using our hash if the clPW field is blank in the database.
Dim passwordHash
If Trim(rs("clPW")) <> "" Then
passwordHash = rs("clPW")
Else
passwordHash = rs("clpasswordhash")
End If
if htmlemails=TRUE then emlNl="<br />" else emlNl=vbCrLf
tlink=storeurl & pagename & "?rst=" & theemail & "&rsk=" & passwordHash
if htmlemails=TRUE then tlink="<a href=""" & tlink & """>" & tlink & "</a>"

also needed to check custom column as a fallback upon reset logic:
sSQL="SELECT clID, FROM customerlogin WHERE clEmail='" & escape_string(getget("rst")) & "' AND (clPw='" & escape_string(getget("rsk")) & "' OR clpasswordhash='" & escape_string(getget("rsk")) & "')"


**Is there an option for requiring a verification email for a new account and forcing them to enter email twice on the new account form?

**Also, this method is insecure. It exposes the hashed password, has no expiry and the link seems to be active forever. The password is also still MD5 and not SHA256. Is there a fix for this now or planned in the future?
Edited by - Dermontti on 03/13/2024 07:45:27

Vince
Administrator

42474 Posts
Posted - 03/14/2024 :  05:01:44  
Hi Dermontti
You've raised some good points and we will look into this as soon as possible.

Vince

Click Here for Shopping Cart Software
Click Here to sign up for our newsletter
Click Here for the latest updater
  « Topic »  
Jump To:
Shopping Cart Software Forum for Ecommerce Templates © 2002-2022 ecommercetemplates.com
This page was generated in 0.02 seconds. Snitz Forums 2000