I've had 2 users complain in the past 2 weeks that they're unable to change their passwords using the password reset functionality - they request a password reset, it sends them the code to use, they try to use the code, but it does not work. I'm using mybb 1.8.5.
Is this a known issue? I swear there were discussions about this being problematic in the past...
edit- here's the previous discussion from 1.6 days:
http://community.mybb.com/thread-118273.html
Hi Andrew,
The password reset function's "Activation Code" is easy to misinterpret as being a "new" password, but it is only an "activation" that,
only when used, will generate a new password and send a
second email with the
actual password.
I would almost be willing to bet the farm that your members are trying to use the "Activation Code" sent in the first email as their new password. I would go on to bet that when that doesn't work, they requested ANOTHER password reset and when they checked their email again, they overlooked the 2nd email containing the
real password and skipped right to the 3rd email containing another
activation code, then when the
new activation code did not grant them access yet again, they assumed something was wrong with the reset function and asked that you to fix a non-existent bug.
If you have not tried this process with your own account, I suggest that you give it a whirl. If you can reset your own password with no issues, GREAT! There is a very good chance user confusion is the real problem. However, if you cannot reset your own password and you know you are doing it correctly, there is probably a genuine bug somewhere and my expertise stops short of knowing where you should look to find it.
I am planning to rework the activation & password combo emails and site message with some different wording and some bold/colored formatting highlighting that the first code is only an "activation" step and that the actual password will be sent in a second email. I haven't had any complaints myself, but I am aware of this issue because I test everything ... and the way to find issues like this is to purposely NOT READ instructions because very few people do. If it is fairly easy to make a mistake because there was no text explaining anything - you can count on a % of your users making it.
Good Luck! & Let us know either way - if there is a password reset issue, I would like to know about it just in case.
Note: another pitfall can occur if users are allowed multiple accounts with the same email address (and email is used as a login). The reset function sends a reset for
each account associated with that email so users need to read carefully and match up the correct codes with the correct accounts.
(2015-08-29, 09:50 PM)Dexie Wrote: [ -> ]Hi Andrew,
The password reset function's "Activation Code" is easy to misinterpret as being a "new" password, but it is only an "activation" that, only when used, will generate a new password and send a second email with the actual password.
I would almost be willing to bet the farm that your members are trying to use the "Activation Code" sent in the first email as their new password. I would go on to bet that when that doesn't work, they requested ANOTHER password reset and when they checked their email again, they overlooked the 2nd email containing the real password and skipped right to the 3rd email containing another activation code, then when the new activation code did not grant them access yet again, they assumed something was wrong with the reset function and asked that you to fix a non-existent bug.
If you have not tried this process with your own account, I suggest that you give it a whirl. If you can reset your own password with no issues, GREAT! There is a very good chance user confusion is the real problem. However, if you cannot reset your own password and you know you are doing it correctly, there is probably a genuine bug somewhere and my expertise stops short of knowing where you should look to find it.
I am planning to rework the activation & password combo emails and site message with some different wording and some bold/colored formatting highlighting that the first code is only an "activation" step and that the actual password will be sent in a second email. I haven't had any complaints myself, but I am aware of this issue because I test everything ... and the way to find issues like this is to purposely NOT READ instructions because very few people do. If it is fairly easy to make a mistake because there was no text explaining anything - you can count on a % of your users making it.
Good Luck! & Let us know either way - if there is a password reset issue, I would like to know about it just in case.
Note: another pitfall can occur if users are allowed multiple accounts with the same email address (and email is used as a login). The reset function sends a reset for each account associated with that email so users need to read carefully and match up the correct codes with the correct accounts.
this issue has been discussed previously..it's likely a bug that still exists from 1.6 as seen in the thread I mentioned in my OP.
Yes, I read that thread.
Still, it is a mistake that a significant number of users will make.
The number of failure attempts with the 15 minute 'time-out' can compound the problem as well, although I suspect that may be related to a cache issue. I know from experience that the session cookie path setting can mess up user authentication - and until cache is cleared you may not even notice something is amiss; but in that case everyone would have log-in issues.
All that said, if your settings are correct and the reset works fine for you... then I would refer back to my original answer.
(2015-08-29, 09:50 PM)Dexie Wrote: [ -> ]I would almost be willing to bet the farm that your members are trying to use the "Activation Code" sent in the first email as their new password.
If that was the issue, it would be easily solved with a plugin hook that accepts the activation key in the password field.
But somehow I doubt it. The mail is very specific about it being an activation code, and it links you directly to the right place, so - getting it wrong takes some serious effort.
If you have access logs of your webserver, check for member.php?action=resetpassword . If the user followed the direct link it should show up in verbatim as action=resetpassword&uid=123&code=ABC.
If this is not in your logs, the chances of PEBKAC skyrocket.
I already posted in the old thread:
http://community.mybb.com/thread-118273-...#pid914469 and labrocca also had some good ideas but the issue is hard to reproduce; you'd have to catch it in the act and debug on-site to know for sure where and why it's failing.
(2015-08-29, 11:25 PM)frostschutz Wrote: [ -> ]The mail is very specific about it being an activation code, and it links you directly to the right place, so - getting it wrong takes some serious effort.
Not really. There are a lot of things that can go wrong when clicking a link from your email server/client/software - whatever. Sometimes it is the email syntax (from the site) and other times it is - who knows! Additionally, there is a block of text at the bottom with the activation code - given my own habits, I am more likely to copy-paste the code directly than I am clicking on a link. This is partially because I have received so many phishing emails that, frankly, I just prefer to type in the html address myself so that I do not end up on a 'fake' site. I also know quite a few others who interact with email links the same way. Also, I have clicked on links before and it crashed my browser by spamming me with a million and a half 'pop-up' windows that cannot be closed... either advertising for 'virus' software or assaulting me with unwanted pornographic images and such.
It is true that most people will click on the link, but I believe as the battle against spam and phishing continues to grow, you may discover more and more users doing things the 'long' way. Not to mention sometimes users just switch to a new tab to grab the email - then switch back to copy paste the code they received - only to realize that they actually needed the link, but instead of going back to click the link in the email, they simply click the back button to go to the login page again - and then paste the 'code' they grabbed into the login box (not having actually read the email stating it is an activation code ... blah blah blah).
My point is that it really doesn't take 'serious' effort to mess it up - just a few eccentric behavior patterns (and we all have them).
Your other points are well taken.
Out of curiosity, has anyone created a hook for 1.8 as you suggested?
(2015-08-29, 11:25 PM)frostschutz Wrote: [ -> ] (2015-08-29, 09:50 PM)Dexie Wrote: [ -> ]I would almost be willing to bet the farm that your members are trying to use the "Activation Code" sent in the first email as their new password.
If that was the issue, it would be easily solved with a plugin hook that accepts the activation key in the password field.
But somehow I doubt it. The mail is very specific about it being an activation code, and it links you directly to the right place, so - getting it wrong takes some serious effort.
If you have access logs of your webserver, check for member.php?action=resetpassword . If the user followed the direct link it should show up in verbatim as action=resetpassword&uid=123&code=ABC.
If this is not in your logs, the chances of PEBKAC skyrocket.
I already posted in the old thread: http://community.mybb.com/thread-118273-...#pid914469 and labrocca also had some good ideas but the issue is hard to reproduce; you'd have to catch it in the act and debug on-site to know for sure where and why it's failing.
that's exactly how it shows up for the user that was complaining about not being able to reset their password.
(2015-08-30, 05:37 AM)andrewjs18 Wrote: [ -> ]that's exactly how it shows up for the user that was complaining about not being able to reset their password.
Not sure what "it" refers to in your sentence, maybe you could quote only the part you're actually refering to?
The log shows up so the user did follow the action=resetpassword&uid=123&code=ABC yet it did not work?
Are you able to reproduce the issue?
(2015-08-30, 09:41 AM)frostschutz Wrote: [ -> ] (2015-08-30, 05:37 AM)andrewjs18 Wrote: [ -> ]that's exactly how it shows up for the user that was complaining about not being able to reset their password.
Not sure what "it" refers to in your sentence, maybe you could quote only the part you're actually refering to?
The log shows up so the user did follow the action=resetpassword&uid=123&code=ABC yet it did not work?
Are you able to reproduce the issue?
sorry, yes, the access logs show this bit: member.php?action=resetpassword&uid=123&code=ABC and it didn't work for that user.
I'll set up a test account at some point today to do some testing.
just tested. some strange stuff....
when entering in the new random password it sent me, it errored out, but it still logged me in....
this is the error it shows: "You seem to have entered an invalid password reset code. Please re-read the email you were sent or contact the forum administrators for more help." but I'm logged in with that account and changing my user settings as we speak...
I did a few more things. I requested a 2nd password reset. This time when trying to log in, rather than using the random password it emailed to me, I used some random password I made up that met the password requirements - it did not log me in. I then tried using the password it sent me and adding a number onto the end of it...it again failed to login. when I tried a 3rd time without modifying the password it sent me, it worked and without throwing any errors this time.
That happens when you use the quick login on the password reset form. It redirects you back to where you were and that's the (no longer valid) password reset page... maybe it worked after all and the user was just confused by this message?