solved Does the User Re-authenticate option interfere with Forgot login process?

researchcooperative
@researchcooperative
2 months ago
649 posts
In ACP>Users>Glob config>Account>Re-authenticate, the help note says:

"If this option is checked, when a user attempts to change their email address or password they will have to enter their existing password to continue. Default: on"

So what happens if a user has to change a password that was forgotten?

Will having the Re-authenticate option on make it impossible for someone to use just his/her email (in the Forgot login page) to receive a link for updating their password?


--
PJ Matthews, Kyoto
Migrated from Ning 2.0. Now at Jamroom 6 beta and using Jamroom Hosting for The Research Cooperative (researchcooperative.org)

updated by @researchcooperative: 22 Dec 2020 04:02:08PM
michael
@michael
2 months ago
7,310 posts
different locations.

The first is when a logged in user opens their MY ACCOUNT page and changes their password to something else, it will prompt "Please enter your current password".

And if they've forgotten that, then will need to ask an admin user for assistance.

So Forgot Password is a system for currently logged out users to get back in. Re-authenticate is a system for logged in users to confirm they know the password.
researchcooperative
@researchcooperative
2 months ago
649 posts
Hmmm.

To login, a user must know their password, so they are not likely to have forgotten it. But it could happen that a computer is left on unattended, and stays logged in, and then someone without authority tries to change the password. Is this the scenario that Re-authenticate is designed to prevent? Or even worse situations when a computer has been hacked, and an attempt is made remotely to change a password?

In any case, it seems you are saying that activating Re-authenicate does not prevent logged out users from getting back in if they use the Forgot Password form. So that's good to know.

Thanks...


--
PJ Matthews, Kyoto
Migrated from Ning 2.0. Now at Jamroom 6 beta and using Jamroom Hosting for The Research Cooperative (researchcooperative.org)
michael
@michael
2 months ago
7,310 posts
Yeah, for whatever reason.

A profile admin wants tries to change that users password, but the master site admin doesnt want profile admins to do that so turns this on so that only master admins and the owner can change the details.

At some point in time someone requested the ability for some reason I cant remember, now the feature exists.
researchcooperative
@researchcooperative
2 months ago
649 posts
Best wishes for 2021!

We haven't solved 2020, but we can move on :-)


--
PJ Matthews, Kyoto
Migrated from Ning 2.0. Now at Jamroom 6 beta and using Jamroom Hosting for The Research Cooperative (researchcooperative.org)