tgely Posted July 19, 2012 Share Posted July 19, 2012 Hi, thanks for new release first! It works. I upgraded my shop and give some advices if you dont mind. If you use Security Pro by FWR Media the return links dont works. adding excludes if need: $security_pro->addExclusion('password_reset.php'); $security_pro->addExclusion('password_forgotten.php'); HTMl email updates needed for password_forgotten.php templates. I have tested a lot. If customers loged in before she/he can reach password_forgotten.php on direct link (http://myshop/password_forgotten.php). This is weird and login page can displaying again when customers logged in. Regards, Gergely osCommerce based shop owner with minimal design and focused on background works. When the less is more.Email managment with tracking pixel, package managment for shipping, stock management, warehouse managment with bar code reader, parcel shops management on 3000 pickup points without local store. Link to comment Share on other sites More sharing options...
Guest Posted July 19, 2012 Share Posted July 19, 2012 Hi I just see 2.3.2 is out What are the new features of 2.3.2 and is it worth upgrading to it Link to comment Share on other sites More sharing options...
Guest Posted July 19, 2012 Share Posted July 19, 2012 its ok just read the release announcement for 2.3.2 not many changes, think I will stick with 2.3.1 for now Link to comment Share on other sites More sharing options...
multimixer Posted July 19, 2012 Share Posted July 19, 2012 @@ianhaney I don't think that you are able to judge the changes of version 2.3.2 Version 2.3.2 is a major security improvement, there is quite alot of work in it and the subject is quite complicated It's completely indifferent and of no interest for anyone what you will do with your own store. Anyone should do the upgrade EDIT: And please don't hijack the topic, let's discuss here possible issues etc with the upgrade, connected to addons etc My community profile | Template system for osCommerce - New: Responsive | Feedback channel Link to comment Share on other sites More sharing options...
Guest Posted July 19, 2012 Share Posted July 19, 2012 Hi, I know Im not So its worth upgrading then and is it compatible with the 2.3.1 addons Link to comment Share on other sites More sharing options...
burt Posted July 19, 2012 Share Posted July 19, 2012 If you use Security Pro by FWR Media the return links dont works. adding excludes if need: $security_pro->addExclusion('password_reset.php'); $security_pro->addExclusion('password_forgotten.php'); Nice catch, thank you Gergely. If customers loged in before she/he can reach password_forgotten.php on direct link (http://myshop/password_forgotten.php). This is weird and login page can displaying again when customers logged in. I added if (tep_session_is_registered('customer_id')) { tep_redirect(tep_href_link(FILENAME_ACCOUNT, '', 'SSL')); } in the password_forgotten.php and password_reset.php files, underneath; require('includes/application_top.php'); When a person is already logged in, it is undesirable to allow them to use the new reset functionality. Cheers, Gary Link to comment Share on other sites More sharing options...
Harald Ponce de Leon Posted July 19, 2012 Share Posted July 19, 2012 Hi Gary.. I added if (tep_session_is_registered('customer_id')) { tep_redirect(tep_href_link(FILENAME_ACCOUNT, '', 'SSL')); } in the password_forgotten.php and password_reset.php files, underneath; require('includes/application_top.php'); When a person is already logged in, it is undesirable to allow them to use the new reset functionality. That's not really necessary for password_reset.php as it redirects the customer to password_forgotten.php when no valid e-mail address or password reset key exists in the url. Kind regards, , osCommerce Link to comment Share on other sites More sharing options...
♥Biancoblu Posted July 19, 2012 Share Posted July 19, 2012 If you use Security Pro by FWR Media the return links dont works. adding excludes if need: $security_pro->addExclusion('password_reset.php'); $security_pro->addExclusion('password_forgotten.php'); Nice catch, thank you Gegerly Could anyone please tell me where to add that exclude code exactly? in what file? Thanks ~ Don't mistake my kindness for weakness ~ Link to comment Share on other sites More sharing options...
multimixer Posted July 19, 2012 Share Posted July 19, 2012 if (tep_session_is_registered('customer_id')) { tep_redirect(tep_href_link(FILENAME_ACCOUNT, '', 'SSL')); } in the password_forgotten.php and password_reset.php files, underneath; require('includes/application_top.php'); That's not really necessary for password_reset.php as it redirects the customer to password_forgotten.php when no valid e-mail address or password reset key exists in the url. I just checked following 2 cases and in bot the system reacts correctly displaying the message " The password reset link was not found in our records, please try again by generating a new link. " and redirecting to password_forgotten.php case 1 - click on password forgotten - enter email - click on emailed link and login - click again on emailed link Case 2 - click on password forgotten - enter email - login with original (old) password - click on emailed link Not correct is, as @@Gergely pointed, that after password_forgotten.php, clicking "back" I arrive to login.php even logged in, so @@burt addition makes a sense My community profile | Template system for osCommerce - New: Responsive | Feedback channel Link to comment Share on other sites More sharing options...
Harald Ponce de Leon Posted July 19, 2012 Share Posted July 19, 2012 Not correct is, as @@Gergely pointed, that after password_forgotten.php, clicking "back" I arrive to login.php even logged in, so @@burt addition makes a sense So the redirect to FILENAME_ACCOUNT can/should be added to password_forgotten.php and login.php...? These links are not visible anywhere after the customer has logged in - the only hole is if a logged in customer wants to change their password but have forgotten their existing password and seem to go to password_forgotten.php/login.php somehow. (instead of the technically correct logout -> password forgotten method) , osCommerce Link to comment Share on other sites More sharing options...
tgely Posted July 19, 2012 Author Share Posted July 19, 2012 @@Biancoblu Hi, in application_top.php After this code: // Security Pro by FWR Media include_once DIR_WS_MODULES . 'fwr_media_security_pro.php'; $security_pro = new Fwr_Media_Security_Pro; osCommerce based shop owner with minimal design and focused on background works. When the less is more.Email managment with tracking pixel, package managment for shipping, stock management, warehouse managment with bar code reader, parcel shops management on 3000 pickup points without local store. Link to comment Share on other sites More sharing options...
♥Biancoblu Posted July 19, 2012 Share Posted July 19, 2012 @@Gergely Thanks, I appreciate it. Gary and Harald were also telling me in chat that you can also add the excludes to /includes/modules/fwr_media_security_pro.php, line 50. Thought I'd share in case anybody else wonders. ~ Don't mistake my kindness for weakness ~ Link to comment Share on other sites More sharing options...
multimixer Posted July 19, 2012 Share Posted July 19, 2012 So the redirect to FILENAME_ACCOUNT can/should be added to password_forgotten.php and login.php...? These links are not visible anywhere after the customer has logged in - the only hole is if a logged in customer wants to change their password but have forgotten their existing password and seem to go to password_forgotten.php/login.php somehow. (instead of the technically correct logout -> password forgotten method) There are cases where somebody can arrive to password_forgotten.php/login.php, eg the 2 cases as above or in case a store has direct links to those pages placed somewhere, without taking care that links appear only of user is not logged in While we could say that direct links are a store owners problem (to be more careful about how he create links) the chance to get to that pages via expected user behavior is there. People often click multiple times in links. Other option would be that password_reset.php log visitor out by default? My community profile | Template system for osCommerce - New: Responsive | Feedback channel Link to comment Share on other sites More sharing options...
tgely Posted July 19, 2012 Author Share Posted July 19, 2012 Hi @@Harald Ponce de Leon, the "hole" is not simple. I can log in as customer but my wife forgot her password for the same shop. So I can generate to help her a new password forgotten link using her email address. Why not? We have to decide this: is it usefull for logged customers or not allowed to get new password forgotten link? the upgrade is perfect but I was the silly user :-) osCommerce based shop owner with minimal design and focused on background works. When the less is more.Email managment with tracking pixel, package managment for shipping, stock management, warehouse managment with bar code reader, parcel shops management on 3000 pickup points without local store. Link to comment Share on other sites More sharing options...
burt Posted July 19, 2012 Share Posted July 19, 2012 My thought is that logged_in customers should not be able to access the new reset functionality. They know already their password, and they can change it via the account screen. It seems to me a little strange, for even a husband/wife, to share such details. Link to comment Share on other sites More sharing options...
tgely Posted July 19, 2012 Author Share Posted July 19, 2012 @@Biancoblu @@Gergely Thanks, I appreciate it. Gary and Harald were also telling me in chat that you can also add the excludes to /includes/modules/fwr_media_security_pro.php, line 50. Thought I'd share in case anybody else wonders. Yes the class functions works everywhere :-) Robert is a good programmer. I said this because FWR gives this instructions in his code // Security Pro by FWR Media include_once DIR_WS_MODULES . 'fwr_media_security_pro.php'; $security_pro = new Fwr_Media_Security_Pro; // If you need to exclude a file from cleansing then you can add it like below //$security_pro->addExclusion( 'some_file.php' ); but in the module array would be nicer place. Use somehow as you like. There are a lot of fix possibilities. // Array of files to be excluded from cleansing, these can also be added in application_top.php if preferred using Fwr_Media_Security_Pro::addExclusion() osCommerce based shop owner with minimal design and focused on background works. When the less is more.Email managment with tracking pixel, package managment for shipping, stock management, warehouse managment with bar code reader, parcel shops management on 3000 pickup points without local store. Link to comment Share on other sites More sharing options...
tgely Posted July 19, 2012 Author Share Posted July 19, 2012 @@burt It seems to me a little strange, for even a husband/wife, to share such details. :D I saved my computer boot/BIOS with passwords and bought my wife a new laptop. Its a perfect fix when you are married! :thumbsup: osCommerce based shop owner with minimal design and focused on background works. When the less is more.Email managment with tracking pixel, package managment for shipping, stock management, warehouse managment with bar code reader, parcel shops management on 3000 pickup points without local store. Link to comment Share on other sites More sharing options...
multimixer Posted July 19, 2012 Share Posted July 19, 2012 My thought is that logged_in customers should not be able to access the new reset functionality. They know already their password, and they can change it via the account screen. I agree with this, things should be separated: A logged in customer, should not be able to access login. create account, password forgotten and the new password reset My community profile | Template system for osCommerce - New: Responsive | Feedback channel Link to comment Share on other sites More sharing options...
♥PassionSeed Posted July 19, 2012 Share Posted July 19, 2012 Consider this scenario: A customer has their browser remembering passwords. They share the store login credentials and computer with their significant other. Well, things didn't go well in the relationship! They go their separate ways. The main account holder decides to change the password, but they don't remember it (the browser is remembering it for them). The change password functionality on the account_password.php page requires the user to enter their current password. If they don't know the current password and they are logged in, how would they go about changing/resetting their password? Remember, our customers may not think about internet security as we may. Keep in mind that the password link will expire after 24 hours or after the action has been completed which ever comes first. Allowing "logged in" users access to the reset password functionality may be OK??? What do you think about this? Link to comment Share on other sites More sharing options...
tgely Posted July 19, 2012 Author Share Posted July 19, 2012 @@PassionSeed This is not as complicated as you say. The logged in customers can change everything in accounts (account.php) but not should be able to reach direct to password_forgotten.php link for example go back in browser or type in the password_forgotten.php in the URL line or click outdated link in emails. (Email links redirect customers into password_forgotten.php page if changed password and links is outdated) The redirect is not good in password_reset.php and need to change it for mail outdated links. Easy to fix it but this issue need to clear direct link problems later as navigation errors. possible fix in password_reset.php for outdated links if (tep_session_is_registered('customer_id')) { //go account line and say helo silly users :-) tep_redirect(tep_href_link(FILENAME_ACCOUNT_PASSWORD)); } osCommerce based shop owner with minimal design and focused on background works. When the less is more.Email managment with tracking pixel, package managment for shipping, stock management, warehouse managment with bar code reader, parcel shops management on 3000 pickup points without local store. Link to comment Share on other sites More sharing options...
tgely Posted July 19, 2012 Author Share Posted July 19, 2012 @@burt first fix is the better way. I would complete account_password.php functionality with silly users notifications and used history class to build session notes. There are need to separate outdated and live links 2 Cases: The live link: "You are already logged in. Use your account to change password. If you clicked a non intrested link logoff before the store and click again to change the other user password." Outdated link: "You are already logged in. Use your account to change password." Regards, Gergely osCommerce based shop owner with minimal design and focused on background works. When the less is more.Email managment with tracking pixel, package managment for shipping, stock management, warehouse managment with bar code reader, parcel shops management on 3000 pickup points without local store. Link to comment Share on other sites More sharing options...
Harald Ponce de Leon Posted July 19, 2012 Share Posted July 19, 2012 I said this because FWR gives this instructions in his code // Security Pro by FWR Media include_once DIR_WS_MODULES . 'fwr_media_security_pro.php'; $security_pro = new Fwr_Media_Security_Pro; // If you need to exclude a file from cleansing then you can add it like below //$security_pro->addExclusion( 'some_file.php' ); but in the module array would be nicer place. Use somehow as you like. There are a lot of fix possibilities. Robert (@@FWR Media) is going to release an update to the Add-On soon with an official fix :thumbsup: Kind regards, , osCommerce Link to comment Share on other sites More sharing options...
Irin Posted July 19, 2012 Share Posted July 19, 2012 Hello, I updated all the files as per the instructions. However, when I click on password forgotten button and enter my email address, it gives an error: "Error: A password reset link has already been sent. Please try again in 5 minutes." Doesn't matter what I do, I can't go pass that error. What am I missing here? Please help... Link to comment Share on other sites More sharing options...
♥Biancoblu Posted July 19, 2012 Share Posted July 19, 2012 Robert (@@FWR Media) is going to release an update to the Add-On soon with an official fix :thumbsup: Kind regards, Great news :thumbsup: ~ Don't mistake my kindness for weakness ~ Link to comment Share on other sites More sharing options...
Harald Ponce de Leon Posted July 19, 2012 Share Posted July 19, 2012 Hi Irina.. I updated all the files as per the instructions. However, when I click on password forgotten button and enter my email address, it gives an error: "Error: A password reset link has already been sent. Please try again in 5 minutes." Doesn't matter what I do, I can't go pass that error. What am I missing here? You have to install and enable the Customer Password Reset Action Recorder module which is described near the end of the upgrade guide. The Customer Password Reset Action Recorder module must be enabled at the following page: Administration Tool -> Modules -> Action Recorder -> Install Module -> Customer Password Reset -> Install Module Kind regards, , osCommerce Link to comment Share on other sites More sharing options...
Recommended Posts
Archived
This topic is now archived and is closed to further replies.