Uploaded image for project: 'PUBLIC - Liferay Portal Community Edition'
  1. PUBLIC - Liferay Portal Community Edition
  2. LPS-27864

Password reset link not valid when reset ticket max age is set to eternal

    Details

      Description

      In the password policies, you can set the reset ticket max age to eternal. This implies that the ticket send to the user for a password reset is always valid. However once a reset is requested, then the reset link send by mail, will not forward the user to the password reset screen and the ticket is removed from the database.

      In the file /portal-web/html/potlet/password_policies_admin/edit_password_policy.jsp, the reset max age is set to 0.

      This is calculated with in UserLocalServiceImpl class in the sendPassword method:
      Date expirationDate = new Date(System.currentTimeMillis() + (passwordPolicy.getResetTicketMaxAge() * 1000)); (line 3222)

      The expiration date is set to the current date. The link is send to the user. After clicking it, the link is processed in UpdatePasswordAction class, where the ticket is checked for expiration (line 121) where it will always fail because it is before the current datetime.

        Attachments

          Issue Links

            Activity

              People

              Assignee:
              sharry.shi Sharry Shi
              Reporter:
              rderegt Rogier de Regt (Inactive)
              Participants of an Issue:
              Recent user:
              Esther Sanz
              Votes:
              0 Vote for this issue
              Watchers:
              1 Start watching this issue

                Dates

                Created:
                Updated:
                Resolved:
                Days since last comment:
                9 years, 6 weeks, 2 days ago

                  Packages

                  Version Package
                  6.1.1 CE GA2
                  6.1.20 EE GA2
                  --Sprint 11/12
                  6.2.0 CE M2