Reminders, CAPTCHAs and registered users

Arantor

  • As powerful as possible, as complex as necessary.
  • Posts: 14,278
Reminders, CAPTCHAs and registered users
« on May 15th, 2012, 11:03 PM »
OK, so I thought about implementing a CAPTCHA for the reminder widget. It is a method of identifying email addresses - and it never gets trapped by the error handler anywhere - and ultimately something that's going to limit the points of intrusion can only be a good thing.

So I started looking at the code and something odd about action=reminder struck me: it still works for logged in members too. Now this is really weird because I'm not sure it isn't a bug, but I'm not sure it isn't intentional behaviour either.

Let me explain. If you hit up action=reminder, you get thrown into the reminder handler, which has a bunch of subactions. But if no subaction is given, it will actually load the 'please give us the username or email address' prompt, due to no specified subaction, the relevant template being loaded and then hitting up template_main from Reminder.template.php.

That part seems half like an oversight, but the more I play around with it, the more I'm not sure about it being one. It seems almost fortunate that it happens to fall into the main reminder template (as opposed to other places, i.e. almost everywhere, where it explicitly sets the subaction if no valid one was found or none was supplied), but I don't see any 'is_guest' checks.

Then it hit me. You can't change your own password if you don't know your current one - and there's no way in the profile area to change your own password directly if you have forgotten it, meaning if you did want to change anything, you'd have to go through the reminder section - and it would let you, though whether you should be able to do so is debatable.

So, there's the question: should you be able to call the reset-password stuff if you're logged in, and if not, how should you be able to reset it from inside the profile area, since you can't change your password if you can't remember your current one?

It's a tricky one, but something that occurs to me. (Of course, I could just ignore it, implement the CAPTCHA anyway, and just not bother if the user is a registered member at the point of filling in the form)
When we unite against a common enemy that attacks our ethos, it nurtures group solidarity. Trolls are sensational, yes, but we keep everyone honest. | Game Memorial

markham

  • Finally finished the Slideshow... phew!
  • Posts: 138
Re: Reminders, CAPTCHAs and registered users
« Reply #1, on May 16th, 2012, 07:17 AM »
Quote from Arantor on May 15th, 2012, 11:03 PM
So, there's the question: should you be able to call the reset-password stuff if you're logged in, and if not, how should you be able to reset it from inside the profile area, since you can't change your password if you can't remember your current one?
From my perspective, absolutely not! It could lead to account hijacking, something we've encountered several times on one of the sites I administer. In those cases, members were accessing the site from Internet Cafes and then forgetting to log-out.

As a related thought, maybe a plug-in could be developed that adds a new field to the user's profile and a required question to the registration page basically asking "Do you access using (a) your private computer or (b) through a friend's or public-access computer?". If the answer given is "b", then always limit the online session to a maximum of x minutes (where X is an admin-specified value).

live627

  • Should five per cent appear too small / Be thankful I don't take it all / 'Cause I'm the taxman, yeah I'm the taxman
  • Posts: 1,667
A confident man keeps quiet.whereas a frightened man keeps talking, hiding his fear.

Arantor

  • As powerful as possible, as complex as necessary.
  • Posts: 14,278
Re: Reminders, CAPTCHAs and registered users
« Reply #3, on May 16th, 2012, 02:46 PM »
Quote
From my perspective, absolutely not! It could lead to account hijacking, something we've encountered several times on one of the sites I administer. In those cases, members were accessing the site from Internet Cafes and then forgetting to log-out.
Well, actually I'm not so sure about that.

You can't change password or email from the profile page - unless you can actually provide the password anyway. Not even admins can change their own password or email without knowing their current password. Now, I'm suggesting a button that essentially resends the password change email - it will only send it to that email, which is in practice no different to just going to action=reminder and filling in the name/email anyway. In both cases, the email goes out and in both cases it would be possible regardless of being logged in or not (since you can call for a forgotten password with the username, rather than the email address)

Re plugin, you could do some of it with CPF but you'd have to have the other stuff tied to it which is a source change (since I'm not sure on how much of a plugin that could be)...

The thing is, what if I register and answer (a) but then I hop on the forum from an internet cafe or similar? It needs something a bit more than that, actually.