Home > Enterprise >  Symfony, wrong user logged by reset-password link
Symfony, wrong user logged by reset-password link

Time:01-05

On my platform, the administrator create a user where the password is randomly generated and this automatically sends an email to this new user. The email contains a link that leads to the reset-password page (which will be a password creation page for the user because he does not know that he already has a password generated).

The problem is that when the user clicks on the email link and arrives on the change password page, he is logged in as admin and therefore has permissions that he should not have.

In fact, I want the email link to connect the new user to his account, I don't want him to be logged in as admin. I'm not sure how to do this.

I don't know much about tokens. I believe the Token is generated based on the session used (?).

Thank you in advance for your help.

Here is the code for creating a user :

/**
     * @Route("/new", name="user_new", methods={"GET", "POST"})
     * @throws TransportExceptionInterface
     */
    public function new(Request $request, MailSender $mailSender,UserPasswordHasherInterface $passwordHasher): Response
    {
        // TODO CHECK IF USER ALREADY EXISTS BY EMAIL
        $user = new User();
        $form = $this
            ->createForm(UserType::class, $user)
            ->handleRequest($request);

        if ($form->isSubmitted() && $form->isValid()) {

            // TODO GENERATE RANDOM PASSWORD
            //$passwordHasher->hashPassword($user, $user->getPassword()));
            $user->setPassword($passwordHasher->hashPassword($user, "password"));
            $this->entityManager->persist($user);
            $this->entityManager->flush();

            try {
                $resetToken = $mailSender->makeToken($user);
            } catch (ResetPasswordExceptionInterface $e) {
                return $this->redirectToRoute('user_new');
            }
            $mailInfos = array('template'=>"reset_password/email_activate.html.twig", 'subject'=>"Activer votre compte", 'email'=>$user->getEmail());
            $mailSender->sendMail($resetToken, $mailInfos);
            $mailSender->storeToken($resetToken);

            return $this->redirectToRoute('user_index', [], Response::HTTP_SEE_OTHER);
        }

        return $this->renderForm('user/new.html.twig', [
            'user' => $user,
            'form' => $form,
        ]);
    }

CodePudding user response:

This is expected behaviour because:

multiple tabs/instances of the same browser will usually share the same server-side session when interacting with the same domain.

means that you can´t be logged in with different users in different tabs per default.

And I don´t think that you would want this, just think of the downsides, do you really want to login again for every tab? This is very uncommon practice. Imagine you would open a stack-overflow question in a new tab and you would not be logged in there.

There are ways to achieve this though, but really re-think if thats your actual usecase, i don´t think so, you are just developing your feature and testing it, and in production a new user will not be already logged in as admin is my assumption.

So for testing your feature just use a private tab (that does usually not share the same server-side session )

if you want to learn more i found this pretty cool so-thread where users try to explain as best as possible What are sessions? How do they work?

Page link:https//www.codepudding.com/Enterprise/251919.html

Prev:How to test composer package in developpement, like for symfony packages
Next:How to set the key for a cache item with Symfony Cache?
  •  Tags:  
  • Related

About Us:  Contact Us      Terms of Service       Privacy Policy

Copyright © 2010-2023,Powered By CodePudding