Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

CP password expiration form usually has an expired key. #11261

Open
jxr-koda opened this issue Dec 16, 2024 · 0 comments
Open

CP password expiration form usually has an expired key. #11261

jxr-koda opened this issue Dec 16, 2024 · 0 comments

Comments

@jxr-koda
Copy link

Bug description

When the user is logged into the control panel but inactive, they will be logged out and shown a password entry dialogue box to log back in. That form contains a temporal hash. If the user waits too long to revisit the control panel, the hash in the password form will be expired and the first attempt to log back in will fail. In practice, this is the most common case as it's rare for a user to leave the control panel long enough to be logged out but return soon enough for the hash to be valid.

How to reproduce

Log in to the control panel. Leave the window open for a long time (I don't know exactly how long). Attempt to log in. Notice that your first attempt fails and you are prompted a second time.

Logs

No response

Environment

Environment
Application Name: AsbestosClaims.Law
Laravel Version: 11.35.1
PHP Version: 8.3.6
Composer Version: 2.7.1
Environment: local
Debug Mode: ENABLED
URL: asbestosclaims.law.test
Maintenance Mode: OFF
Timezone: UTC
Locale: en

Cache
Config: NOT CACHED
Events: NOT CACHED
Routes: NOT CACHED
Views: CACHED

Drivers
Broadcasting: log
Cache: file
Database: sqlite
Logs: stack / single
Mail: log
Queue: sync
Session: file

Sentry
Enabled: YES
Environment: local
Laravel SDK Version: 4.10.1
PHP SDK Version: 4.10.0
Release: NOT SET
Sample Rate Errors: 100%
Sample Rate Performance Monitoring: 100%
Sample Rate Profiling: NOT SET
Send Default PII: DISABLED

Statamic
Addons: 1
Sites: 2 (English, Español)
Stache Watcher: Enabled
Static Caching: Disabled
Version: 5.42.1 PRO

Statamic Addons
stillat/antlers-components: 2.4.0

Installation

Fresh statamic/statamic site via CLI

Additional details

There seem to be two potential solutions. First would be to remove the hash from the form entirely. This may be an option given that only the password is being transmitted and not their email address, which means the extra security of the hash may not be necessary.

Alternatively, instead of immediately prompting the user for their password, we could display a dialogue box with a single button that will subsequently bring up a fresh password form.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

1 participant