Uploaded image for project: 'PUBLIC - Liferay Portal Community Edition'
  1. PUBLIC - Liferay Portal Community Edition
  2. LPS-27864

Password reset link not valid when reset ticket max age is set to eternal

    Details

    • Branch Version/s:
      6.1.x
    • Backported to Branch:
      Committed

      Description

      In the password policies, you can set the reset ticket max age to eternal. This implies that the ticket send to the user for a password reset is always valid. However once a reset is requested, then the reset link send by mail, will not forward the user to the password reset screen and the ticket is removed from the database.

      In the file /portal-web/html/potlet/password_policies_admin/edit_password_policy.jsp, the reset max age is set to 0.

      This is calculated with in UserLocalServiceImpl class in the sendPassword method:
      Date expirationDate = new Date(System.currentTimeMillis() + (passwordPolicy.getResetTicketMaxAge() * 1000)); (line 3222)

      The expiration date is set to the current date. The link is send to the user. After clicking it, the link is processed in UpdatePasswordAction class, where the ticket is checked for expiration (line 121) where it will always fail because it is before the current datetime.

        Attachments

          Issue Links

            Activity

              People

              • Votes:
                0 Vote for this issue
                Watchers:
                1 Start watching this issue

                Dates

                • Created:
                  Updated:
                  Resolved:
                  Days since last comment:
                  5 years, 22 weeks ago