| Bug : | Password recovery failure if the IP is renewed |
| Status : | Fixed |
| Severity : | Normal |
| Reporter : | Kilandor  12-11-2007 14:09 |
| Updated by : | Olivier C. 28-11-2007 18:51 |
| Category | Default plugins |
| Version : | 121 |
| Frequency : | Consistently |
| Fixed in : | 125 |
| Details : | This is actually A problem for anyone with non static IP's. After clicking the Validation link, and returning the site, it sucessfully creates cookie/session. But on attempting to goto profile or anywhere, your no longer logged in. This occurs when the IP address field is empty(only know this and know not normal due to importing users from a different CMS), or the IP does not match the current IP. Meaning if IP security is enabled, anyone's who IP has changed will never ever beable to recover their password. To fix this the IP for user should be updated when password reqovery requst is submitted. Line 48 change Code: $sql = sed_sql_query("UPDATE $db_users SET user_lostpass='$validationkey' WHERE user_id='$ruserid'"); To Code: $sql = sed_sql_query("UPDATE $db_users SET user_lostpass='$validationkey', user_lastip='".$usr['ip']."' WHERE user_id='$ruserid'"); |
| Items affected : | plugins/passrecover/passrecover.php |
History and comments :
| 28-11-2007 18:51 Olivier C. PM sent to the reporter : |