OJS 2.4.7 Reset Password Link expired

EdwardDavid · October 22, 2015, 5:01pm

I have some users on one of the journals we host that cannot reset their password due to the link in the email expiring before they click on it.
I test it myself and requested a reset password. As soon as I got the email I click on the link.
I get this message “Sorry, the link you clicked on has expired or is not valid. Please try resetting your password again.”
Is there a place to set how long a link will stay active.

Thanks,
Edward

ctgraham · October 22, 2015, 5:58pm

The expiration is supposed to be 7200 seconds from the reset. It is user-definable by reset_seconds in config.inc.php.

https://github.com/pkp/ojs/commit/e7eb5507ef2dda33c264db37e60297be87bc0ff6#diff-22f011e60fab54877fdfd4efb4dcbfa6R317

I just tried this myself and reproduced the error. Here comes 2.4.7-1, I think.

asmecher · October 22, 2015, 6:22pm

Hi @ctgraham,

Were you able to track down the cause?

Thanks,
Alec Smecher
Public Knowledge Project Team

EdwardDavid · October 22, 2015, 6:23pm

So to fix this do I then apply the diff from Alec #695 above.
I have 28 journals on OJS-2.4.7 that will have this issue that I need patched.

Thanks,
Edward

ctgraham · October 22, 2015, 6:28pm

The fix doesn’t exist quite yet. I’ve opened this issue, where I think I’ve identified the broken process.

github.com/pkp/pkp-lib

Password reset fails with addition of expiration token

opened 06:27PM - 22 Oct 15 UTC

closed 08:22PM - 22 Oct 15 UTC

ctgraham

Validation::generatePasswordResetHash() now adds an expiration token for OJS. ht…tps://github.com/pkp/ojs/blob/ojs-dev-2_4/classes/security/Validation.inc.php#L307-L341 We have a lovely method which validates a password reset hash and expiration. https://github.com/pkp/ojs/blob/ojs-dev-2_4/classes/security/Validation.inc.php#L349-L359 We never use it. Instead, we compare a newly generated reset hash against the former hash, expiry and all. https://github.com/pkp/pkp-lib/blob/ojs-dev-2_4/pages/login/PKPLoginHandler.inc.php#L240-L241 C.f.: http://forum.pkp.sfu.ca/t/ojs-2-4-7-reset-password-link-expired/4768

jbutler · October 22, 2015, 7:01pm

Thanks for posting. I made a change to the password reset hash and then I wasn’t able to get into anything or reset my password. I restored files and the database from a backup and still couldn’t reset my password. Glad I’m not going crazy, I look forward to a patch.

Jim

asmecher · October 22, 2015, 7:04pm

Hi @jbutler,

@ctgraham has kindly posted a patch at the issue link above – I’ll review and test it myself shortly, but if you’re able to test it as well, I’d love to have an additional data point.

Thanks,
Alec Smecher
Public Knowledge Project Team

jbutler · October 22, 2015, 7:42pm

That fixed it.
Thanks Guys!

Jim

asmecher · October 22, 2015, 8:27pm

Hi @jbutler,

Great, that’s helpful. I’ll put OJS 2.4.7-1 online shortly with this fix included. If you’re already using OJS 2.4.7 (a.k.a. OJS 2.4.7-0), applying the patch above will be a sufficient fix too.

Regards,
Alec Smecher
Public Knowledge Project Team

foster · November 15, 2015, 5:35pm

Hello Everyone

I’ve update from OJS 2.4.6 to 2.4.7 and I’m not more able to log in with my admin password. To reset it, I’m receiving the message Reset Password link expired. Please what should I do to get back access to the system ???

Can someone help me ???

I 'v try sereral time without success…

Thanks in advance

asmecher · November 15, 2015, 7:46pm

Hi @foster,

Did you try the fix linked above? If you’re using OJS 2.4.7 (= OJS 2.4.7-0), you can either apply the patch above, or use OJS 2.4.7-1 instead.

Regards,
Alec Smecher
Public Knowledge Project Team