Login's ResetPassword - how long do you have before it expires? Cache dependent?

Hi all,

I’ve been working with the Login extra on a site which has repurposed the ResetPassword functionality for having a new user whose MODX>User has just been created by a snippet to immediate change their password.

The site is having issues with folks clicking the URL provided to them and not being being met with the ‘expired’ message.

I went digging through the code to see if I could find out how long users have and it appears that the function verifyIdentity() in the ResetPassword controller tries to read confirmation from the cache. (https://github.com/modxcms/Login/blob/04ccc73a3f93201fada4dbfbf54065ce22379038/core/components/login/controllers/web/ResetPassword.php#L108)

Some testing seems to have confirmed this, but I just wanted to verify if anyone in the know can ratify it - does this mean that if the site cache happens to be emptied or otherwise expires (WITHIN the window between the password reset being ‘ordred’ and the link being visited) that means the user won’t able to change their password on that attempt and will need to go around again?

Thanks for any help.

I think you are correct.

It looks like the value gets written to the default cache partition without an expiration time.


Maybe it would be a better idea to use a custom partition in this case:

//Writes the data to its own cache partition with an expiry time of 2 hours.
$options = array(
	xPDO::OPT_CACHE_KEY => 'resetpassword',
);
$this->modx->cacheManager->set('login/resetpassword/'.md5($fields['id'].':'.$fields['username']),$password, 7200, $options);

Thank you - this worked beautifully and avoided the site’s clear-cache function.

For those playing at home, I updated the following files. Note that I updated the files in the package which means they’ll be overwritten at the next update of of the Login extra. (Buyer beware.)

core/components/login/controllers/web/ForgotPassword.php starting at line 234
Replaced

$this->modx->cacheManager->set('login/resetpassword/'.md5($fields['id'].':'.$fields['username']),$password);

with

$options = array(
  xPDO::OPT_CACHE_KEY => 'resetpassword',
);
$time = 3600*2; // Two hour lifespan
$this->modx->cacheManager->set('login/resetpassword/'.md5($fields['id'].':'.$fields['username']),$password, $time, $options);

core/components/login/controllers/web/ResetPassword.php starting at line 113 inside verifyIdentity() I added

$options = array(
  xPDO::OPT_CACHE_KEY => 'resetpassword',
);

and replaced

$cachePass = $this->modx->cacheManager->get($cacheKey);

with

$cachePass = $this->modx->cacheManager->get($cacheKey,$options);

And starting at line 121 inside eraseCache() I added

$options = array(
  xPDO::OPT_CACHE_KEY => 'resetpassword',
);

and replaced

$this->modx->cacheManager->delete($cacheKey,$options);

with

$this->modx->cacheManager->delete($cacheKey);