Bug 103511 - The URL in the 'recover password' email redirects to login page
Summary: The URL in the 'recover password' email redirects to login page
Alias: None
Product: Red Hat Web Application Framework
Classification: Retired
Component: ui
Version: nightly
Hardware: All
OS: Linux
Target Milestone: ---
Assignee: ccm-bugs-list
QA Contact: Jon Orris
Depends On:
Blocks: 100952 103600
TreeView+ depends on / blocked
Reported: 2003-09-01 14:46 UTC by Daniel Berrange
Modified: 2007-04-18 16:57 UTC (History)
1 user (show)

Clone Of:
Last Closed: 2003-12-10 02:48:53 UTC

Attachments (Terms of Use)

Description Daniel Berrange 2003-09-01 14:46:48 UTC
From Bugzilla Helper:
User-Agent: Mozilla/5.0 Galeon/1.2.9 (X11; Linux i686; U;) Gecko/20030314

Description of problem:
The 'recover password' page sends the user an email containing a link to the
'change-password' page with a one-time key set. eg:


However, upon visiting this page to change their password, the user is
redirected to the login page:



Version-Release number of selected component (if applicable):

How reproducible:

Steps to Reproduce:
1. Logout of site
2. Fill out the form on the 'recover password' page
3. Wait for the email to arrive
4. Visit the link in the email

Actual Results:  Redirected to the login page

Expected Results:  Presented a form allowing password to be changed.

Additional info:

Comment 1 Brett Prucha 2003-10-29 16:24:49 UTC
This bug is due to the fact that the Credential contains a '+' character in 
it.  The recover password UI (com.arsdigita.ui.login.RecoverPasswordPanel) 
generates the url's credential paramater by calling:

Line: 339   ParameterMap map = 
                (RecoveryLoginModule.getParamName() + "=" +

However the ParameterMap.fromString() function URLDecode's the query string 
replacing '+' characters with space characters.  Once it's decoded it is again 
encoded.  You can fix this problem by replacing the above lines of code with 
this these:

            ParameterMap map = 
                (RecoveryLoginModule.getParamName() + "=" +
(RecoveryLoginModule.getParamValue(user.getID()), "UTF-8"));

By first encoding the Credential you ensure that the original value is returned 
when it is decoded.

Comment 2 Archit Shah 2003-11-11 05:45:12 UTC
thanks to excellent debugging work, fixed at 5.2.x (37889), 6.0.x
(37890), and dev (37891)

Note You need to log in before you can comment on or make changes to this bug.