Web based family history software

Question Requesting new password and email sending error

  • mlocati
  • Topic Author
  • Visitor
  • Visitor
14 years 6 months ago #1 by mlocati
Hello to everybody

I tried the Request new password function in the login page.

I intentionally misconfigured my php environment, so that php isn't able to send emails. When asking a new password I can see the following error:
ERROR 2: mail() [function.mail]: SMTP server response: 550 5.7.1 Unable to relay for myemailaddress
0 Error occurred on in function mail
1 called from line 177 of file functions_mail.php in function webtreesMail
2 called from line 139 of file login_register.php

Warning: mail() [function.mail]: SMTP server response: 550 5.7.1 Unable to relay for myemailaddress in path-to-webtrees-8564\includes\functions\functions_mail.php on line 177

The email is not send, but the user password is changed.

In such a case the user can't access the system, since he doesn't receive the notification email.

In production the email system should work. But... it works always? What if there's momentary malfunctions? What if the isp / hosting provider changes some parameter (like the smtp authentication)?

In any case, it's not a real problem since the user has already forgotten his password (if it was himself to ask the password change...).

I think that webtrees should do one of the following two:

1) change the password only after (and if) the email is sent

2) change the password only after the email recipient clicks on the link he received in the email message (better, since this avoids password changes requested by people other than the user himself)

Please Log in or Create an account to join the conversation.

  • ToyGuy
  • Offline
  • Moderator
  • Moderator
  • Live like it's Christmas every day - Santa Stephen
More
14 years 6 months ago #2 by ToyGuy
I like #2
Stephen

Santa Stephen the Fabled Santa
Latest webtrees at MyArnolds.com
Hosted by webtreesonline.com , a division of GeneHosts LLC
MacOS 10.6.8, Apache 2.2+, PHP 5.4.16, MySQL 5.5.28

Please Log in or Create an account to join the conversation.

More
14 years 6 months ago #3 by WGroleau

not a real problem since the user has already forgotten his password

Ah, but he might be like me--more than once I've remembered my password ten seconds after clicking the forgot link!

I agree with Stephen--the e-mail should contain a link to an unguessable URI that will allow changing the password for that user.

And the user should have to know the e-mail address associated with that account and enter it. If he has changed his address or doesn't know which address (so many of us have more than one), then he should have to persuade the admin personally who he is.

--
Wes Groleau
UniGen.us/

Please Log in or Create an account to join the conversation.

Powered by Kunena Forum