[Bug 2242] Proposal: introduce an expiry time for the temporary password
https://bugzilla.wikimedia.org/show_bug.cgi?id=2242 Brion Vibber changed: What|Removed |Added CC||br...@wikimedia.org Keywords|need-review |patch --- Comment #7 from Brion Vibber 2008-12-30 03:45:02 UTC --- Couple notes: 1) Setting the expiration in hours seems sub-ideal to me, since nearly all time-based config options are in seconds. I'd recommend renaming $wgPasswordReminderResetTime to $wgNewPasswordExpiry and setting it in seconds. 2) The password reset form also uses checkTemporaryPassword() and it looks like it'll take the 'EXPIRED' return as 'true', indicating that it's ok to do the reset, thus bypassing the expiry. As a general security principle against exposing information leaks, as well as to avoid any other potential call funkiness, it might be best to simply return false here, considering the expired password to just not match. This would be the same as if the temporary password had been wiped out, say by another new password request or a successful reset completion -- these cases would not tell you that it used to be correct, they'd just consider it invalid. 2) The new password email text should include the expiry time. 3) I'd recommend 7 days rather than 2 as the default; I know I don't get around to some websites within 48 hours if I get busy doing something else (say, over the weekend). 4) Patch appears to be adding UTF-8 BOM characters, need to be removed. :) -- Configure bugmail: https://bugzilla.wikimedia.org/userprefs.cgi?tab=email --- You are receiving this mail because: --- You are the assignee for the bug. You are on the CC list for the bug. ___ Wikibugs-l mailing list Wikibugs-l@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/wikibugs-l
[Bug 2242] Proposal: introduce an expiry time for the temporary password
https://bugzilla.wikimedia.org/show_bug.cgi?id=2242 Brion Vibber changed: What|Removed |Added Keywords||bugday -- Configure bugmail: https://bugzilla.wikimedia.org/userprefs.cgi?tab=email --- You are receiving this mail because: --- You are the assignee for the bug. You are on the CC list for the bug. ___ Wikibugs-l mailing list Wikibugs-l@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/wikibugs-l
[Bug 2242] Proposal: introduce an expiry time for the temporary password
https://bugzilla.wikimedia.org/show_bug.cgi?id=2242
--- Comment #9 from Brion Vibber 2008-12-30 18:06:27 UTC
---
Looking good! A couple quick bits...
+ if( time() < $expiry ) {
+ return false;
+ } else {
+ return true;
+ }
I think you want to reverse these...
+Your temporary password will expire in $5 days.
This should probably use {{PLURAL}} to properly handle the case where it's set
to 1 day. Might want to round, also, in case a non-even number is used (7.33327
days :)
> The only thing I am not sure of is what happens after their password expires.
> Is there account simply locked out?
Once the temporary password is expired, it just won't work anymore. To log in
with a temporary password, a new temporary password will have to be requested.
The original password continues to work the whole time, unless the temporary
password is actually used successfully.
--
Configure bugmail: https://bugzilla.wikimedia.org/userprefs.cgi?tab=email
--- You are receiving this mail because: ---
You are the assignee for the bug.
You are on the CC list for the bug.
___
Wikibugs-l mailing list
Wikibugs-l@lists.wikimedia.org
https://lists.wikimedia.org/mailman/listinfo/wikibugs-l
[Bug 2242] Proposal: introduce an expiry time for the temporary password
https://bugzilla.wikimedia.org/show_bug.cgi?id=2242 Tyler Romeo changed: What|Removed |Added Attachment #5032 is|0 |1 obsolete|| --- Comment #8 from Tyler Romeo 2008-12-30 17:58:05 UTC --- Created an attachment (id=5631) --> (https://bugzilla.wikimedia.org/attachment.cgi?id=5631) Updated diff - Blind check of temporary password OK, this patch has checkTemporaryPassword() return false if the password is expired, meaning it will only appear as a wrong password. The only thing I am not sure of is what happens after their password expires. Is there account simply locked out? -- Configure bugmail: https://bugzilla.wikimedia.org/userprefs.cgi?tab=email --- You are receiving this mail because: --- You are the assignee for the bug. You are on the CC list for the bug. ___ Wikibugs-l mailing list Wikibugs-l@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/wikibugs-l
[Bug 2242] Proposal: introduce an expiry time for the temporary password
https://bugzilla.wikimedia.org/show_bug.cgi?id=2242
^demon changed:
What|Removed |Added
Attachment #5631 is|0 |1
obsolete||
--- Comment #10 from ^demon 2009-01-02 20:53:42 UTC
---
Created an attachment (id=5642)
--> (https://bugzilla.wikimedia.org/attachment.cgi?id=5642)
Update to last patch
Updated against the last patch.
(In reply to comment #9)
> Looking good! A couple quick bits...
>
> + if( time() < $expiry ) {
> + return false;
> + } else {
> + return true;
> + }
>
> I think you want to reverse these...
>
Done.
> +Your temporary password will expire in $5 days.
>
> This should probably use {{PLURAL}} to properly handle the case where it's set
> to 1 day. Might want to round, also, in case a non-even number is used
> (7.33327
> days :)
>
Did the PLURAL support, as well as rounded.
--
Configure bugmail: https://bugzilla.wikimedia.org/userprefs.cgi?tab=email
--- You are receiving this mail because: ---
You are the assignee for the bug.
You are on the CC list for the bug.
___
Wikibugs-l mailing list
Wikibugs-l@lists.wikimedia.org
https://lists.wikimedia.org/mailman/listinfo/wikibugs-l
[Bug 2242] Proposal: introduce an expiry time for the temporary password
https://bugzilla.wikimedia.org/show_bug.cgi?id=2242 ^demon changed: What|Removed |Added CC||innocentkil...@gmail.com Status|NEW |RESOLVED Resolution||FIXED --- Comment #11 from ^demon 2009-01-06 16:22:19 UTC --- Went ahead and applied patch in r45450. -- Configure bugmail: https://bugzilla.wikimedia.org/userprefs.cgi?tab=email --- You are receiving this mail because: --- You are the assignee for the bug. You are on the CC list for the bug. ___ Wikibugs-l mailing list Wikibugs-l@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/wikibugs-l
[Bug 2242] Proposal: introduce an expiry time for the temporary password
https://bugzilla.wikimedia.org/show_bug.cgi?id=2242 Brion Vibber changed: What|Removed |Added Status|RESOLVED|REOPENED Resolution|FIXED | --- Comment #12 from Brion Vibber 2009-01-07 03:55:13 UTC --- Notice: Undefined variable: wgNewPasswordExpiry in /Library/WebServer/Documents/trunk/includes/User.php on line 2710 Reverted in r45485 -- Configure bugmail: https://bugzilla.wikimedia.org/userprefs.cgi?tab=email --- You are receiving this mail because: --- You are the assignee for the bug. You are on the CC list for the bug. ___ Wikibugs-l mailing list Wikibugs-l@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/wikibugs-l
[Bug 2242] Proposal: introduce an expiry time for the temporary password
https://bugzilla.wikimedia.org/show_bug.cgi?id=2242 ^demon changed: What|Removed |Added Status|REOPENED|RESOLVED Resolution||FIXED --- Comment #13 from ^demon 2009-01-07 14:35:43 UTC --- Re-fixed in r45503 -- Configure bugmail: https://bugzilla.wikimedia.org/userprefs.cgi?tab=email --- You are receiving this mail because: --- You are the assignee for the bug. You are on the CC list for the bug. ___ Wikibugs-l mailing list Wikibugs-l@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/wikibugs-l
