#2527: Invalid token upon LDAP confirmation
---------------------------+---------------------------------------
Reporter: strk | Owner: sac@…
Type: task | Status: new
Priority: normal | Milestone: Sysadmin Contract 2020-II
Component: Systems Admin | Keywords:
---------------------------+---------------------------------------
Many users complain about Invalid token being returned by the LDAP account
creation verification link (or password reset). These are due to their
MUAs pre-visiting incoming links (some form of security treatment, which
is instead an INSECURE way to do things, if you ask me, as visiting a link
can DO something [as in this case]).
This ticket is to update the scripts (https://git.osgeo.org/gitea/sac/web-
cgi-bin) to only act upon POST and provide a form which POSTs when
clicking a button if called with a GET. This should fix this problem
--
Ticket URL: <https://trac.osgeo.org/osgeo/ticket/2527>
OSGeo <https://osgeo.org/>
OSGeo committee and general foundation issue tracker.
#2527: Invalid token upon LDAP confirmation
---------------------------+----------------------------------------
Reporter: strk | Owner: sac@…
Type: task | Status: closed
Priority: normal | Milestone: Sysadmin Contract 2020-II
Component: Systems Admin | Resolution: fixed
Keywords: |
---------------------------+----------------------------------------
Changes (by strk):
* status: new => closed
* resolution: => fixed
Comment:
I changed both password reset and account creation confirmation pages to
require clicking a button on the web page. This should stop virulent MUAs
confirming operations without users realizing it...
--
Ticket URL: <https://trac.osgeo.org/osgeo/ticket/2527#comment:1>
OSGeo <https://osgeo.org/>
OSGeo committee and general foundation issue tracker.
#2527: Invalid token upon LDAP confirmation
---------------------------+----------------------------------------
Reporter: strk | Owner: sac@…
Type: task | Status: closed
Priority: normal | Milestone: Sysadmin Contract 2020-II
Component: Systems Admin | Resolution: fixed
Keywords: |
---------------------------+----------------------------------------
Comment (by strk):
For the record, this was done with https://git.osgeo.org/gitea/sac/web-
cgi-bin/commit/5f8fa208036454efa7f5d1b16ecc5b8221b72c88 and its four
parent commits
--
Ticket URL: <https://trac.osgeo.org/osgeo/ticket/2527#comment:2>
OSGeo <https://osgeo.org/>
OSGeo committee and general foundation issue tracker.
#2527: Invalid token upon LDAP confirmation
---------------------------+----------------------------------------
Reporter: strk | Owner: sac@…
Type: task | Status: closed
Priority: normal | Milestone: Sysadmin Contract 2020-II
Component: Systems Admin | Resolution: fixed
Keywords: |
---------------------------+----------------------------------------
Comment (by strk):
For the record: the change was still not good enough, as it only printed
the form on GET, instead with https://git.osgeo.org/gitea/sac/web-cgi-
bin/commit/c1c657e8e76a6ec5345f8cf891c6ca00d05105d0 we always print the
form UNLESS the method POST is used (some MUAs are using HEAD)
--
Ticket URL: <https://trac.osgeo.org/osgeo/ticket/2527#comment:3>
OSGeo <https://osgeo.org/>
OSGeo committee and general foundation issue tracker.