Forgot your password? : Does not validate?

[this side up]

Hi All

I'm busy setting up a new store with v1.5.3 and came across this:

On index.php?main_page=password_forgotten; any value or non value entered here is accepted, with the reply: " A new password has been sent to your email address."

I've set up a complete fresh install as well, thinking that maybe I broke something while busy on my new store, but I get the same problem there as well.

Has anyone else come across this?

Apologies if this has been asked and answered somewhere else, as this seems like such a basic function (and would have been reported by now), but I could not find anything in the forum for this.

Thank you
Warren

[DrByte]

Are you saying something's malfunctioning or just that it's not telling you "hey, you forgot to enter an email address"?

[this side up]

If I click the submit link to get a new password, with the email address field empty, it does not show the usual message stack warning.
I have the same behavior when I enter for example "dggsd sdg rsg" and click submit. It does not seem to be going through the validation to make sure that a proper email address has been entered and it also is not checking that the email address entered actually exists.


I see it has server side validation so when I have the field empty or just rubbish entered ad click "submit" I should get the following message stack " Error: The Email Address was not found in our records; please try again."

Instead it gives me the green message stack " A new password has been sent to your email address. "

[mc12345678]

Haven't tested this response myself, but relatively speaking a credential checking application should not provide a different message for any error other than possibly indicating that overall an error was made. Ie, if any error message is provided, it should be the same for a username that does not exist or an improperly entered username. By providing different responses for different errors, one can then discover information about the operation and membership of the site.

Perhaps the better fix that would prevent divulging information would be something like, thank you for submitting your request, as applicable an email will be sent to the account holder.

Just a "thought". Partially considering that if too much of an email check was incorporated it may become difficult to detangle and allow other forms of login credentials from being used...

[lat9]

Processing on the password_forgotten page was updated in v1.5.3 so the "password sent" message is given automatically. You really don't want a message that indicates that a properly-entered email address doesn't exist, but I agree that the processing should be somewhat modified to return a "Please enter a valid email address" if the value entered is either blank or (er) not a valid email address.

[DrByte]

Exactly. It's a security thing. If you want to read up on it it's called "user enumeration", where a different error message is shown if there is no match vs when there is one, and it allows hackers to learn about your site more info than they ought to know.

In behind, the system is doing what it's supposed to do. I suppose in the future we could change the message to be even more generic, instead of even saying it "sent" anything at all. But it should no longer ever tell you whether what you entered was valid or not. (Notwithstanding a "blank" should indeed do nothing, or could safely say "hey silly you forgot to enter anything" ... but that's a pretty low-severity kind of issue.)

[this side up]

Thank you.
"In behind, the system is doing what it's supposed to do". .
I get the security aspect. Don't like it. But I suppose we do have to play it closer to the chest now days...

I just know customer's (who either forgot what they registered with, or just entered it in badly) will tell us they could not get passwords sent to them because our system is not working. (when it actually is) . "BUT, YOUR systems says it has sent me a new password!? Now you say it may have not? What do you mean...?"

Validating the email address formatting on the client side I think is a must.
In the meantime, i'm going to edit the success message so to read something along the lines, like "If our system has recognised your email address, a new password will be sent to you immediately. Need assistance? Contact us .....".

This would improve the general customer experience.

But, I suppose in the bigger scheme of things it is a "low-severity kind of issue".
I'll have to add this to the to-do list.

[DrByte]

Validating the email address formatting on the client side I think is a must.

Validating the *formatting*? Why? That's not going to help them recover a password. Other than, again, "hey, stupid, you can't type".
NOTE: The email address formatting *is* already validated when creating an account.

Nevertheless, we'll be updating the wording in v1.6.0, to remove the ambiguity.

[this side up]

Validating the *formatting*? Why? That's not going to help them recover a password. Other than, again, "hey, stupid, you can't type". .

he he... If only I could say that. , BUT i've used a similar message to the one displayed when using the forgotten password feature for the admin.