• Do not register here on develop.twiki.org, login with your twiki.org account.
• Use View topic Item7848 for generic doc work for TWiki-6.1.1. Use View topic Item7851 for doc work on extensions that are not part of a release. More... Close
• Anything you create or change in standard webs (Main, TWiki, Sandbox etc) will be automatically reverted on every SVN update.
Does this site look broken?. Use the LitterTray web for test cases.

Item4063: Document how to reset a password with ApacheLogin

Item Form Data

AppliesTo: Component: Priority: CurrentState: WaitingFor: TargetRelease ReleasedIn
Engine Documentation Urgent Closed   minor 4.2.0

Edit Form Data

Summary:
Reported By:
Codebase:
Applies To:
Component:
Priority:
Current State:
Waiting For:
Target Release:
Released In:
 

Detail

These scripts are, I am pretty sure, redundant, as their function was subsumed by register.

-- TWiki:Main/CrawfordCurrie - 14 May 2007

Now you cannot reset your password anymore because you need a password to reset a password.

Peter raised this question on the TWiki:Codev.RemovePasswdAndResetpasswdScripts and yet the code was checked in?????

-- TWiki:Main.KennethLavrsen - 15 May 2007

Actually he raised it after it was already checked in, but that's my fault for being too proactive, not his.

Text of my response to Lavr's critique:

...it is possible to exclude resetpasswd from require valid-user and use the ?LoginName=XyZ parameter to indicate the username to reset. There is no interactive screen for the resetpasswd script, and I have searched the doc and there is no mention of this use model anywhere. It's another one of those undocumented magical spells.

I re-added the resetpasswd script. To correct the documentation of the apache use model is rather more important, however. I have re-used the bug number - elevating it to urgent, as this is an obvious gotcha/low hanging fruit.

Clearly users need to be told about this use model. I propose two remedial steps:

  1. Provision of a standard 401 ErrorDocument, which can be used in place of a redirect to TWikiRegsitration. The ErrorDocument should include a form that prompts for a username to reset the password.
  2. Documentation of this in TWikiInstallation
I changed the headline from "Get rid of passwd and resetpasswd scripts" raised the priority of this report from Normal to Urgent - I consider we should not release without adequate documentation of this - and changed the component to Documentation Example 401 error document:

TWiki Authorization failed

If you need to reset your TWiki password, enter your Apache login name below and click "Reset My Password".
Login Name:

Your new password will be emailed to your registered email address.
(don't try it! it will reset your password and then you'll have to wait for the next synch with t.o for your login to work again!) CC

We have to be careful with the ErrorDocument. It has already been subject to concern about load when search engines like Google look up no longer existing topics. it is important that the redirects are not fed to something that causes additional Twiki execution. Ie. a static page instead of a real TWiki topic. Otherwise the search engine load increases again.

-- TWiki:Main.KennethLavrsen - 15 May 2007

I think it is better not to have the reset password form in the auth error page for these reasons:

  • N/A for sites that use external auth (LDAP, AD, ...).
  • Increases the likelihood that Joe Bloe resets the password for JohnSmith, resulting in an increased admin support load.
-- TWiki:Main.PeterThoeny - 15 May 2007 Think it through. Putting aside public sites - not our target demographic - IME there are four typical setups for internal sites:
  1. Uncertificated https: public site, view is authenticated, authenticated using apache + .htpasswd, users typically pre-registered - typical small company setup, 5-50 employees
  2. http: behind a firewall, publicly viewable, write authenticated using apache or template login + .htpasswd, users pre-registered - typical SME setup, 50-500 employees
  3. http: behind a firewall, authenticated via apache or template login + .htpasswd, voluntary registration
  4. http: behind a firewall, authenticated via LDAP or equivalent, compulsory or automatic registration - corporate intranet setup - 500- employees
Some observations about authentication failures:
  1. Users in all setups can be trusted not to reset other user's passwords. Even if they do, it gains them nothing, as the new password is mailed to the registered address.
  2. Redirect to a "get lost" error document is inappropriate in all setups
  3. Redirect to TWikiRegistration is only appropriate in setup 3
  4. Password reset in setup 4 requires a bespoke error document
So, I agree that for public sites - such as t.o and d.t.o - redirect to a password reset page is inappropriate, but redirect to TWikiRegstration is. But I contend that for any site where a redirect to TWikiRegistration is not appropriate, then redirect to a password reset page is appropriate. Redirect to a "get lost" page is IME only for public sites with pre-registered users. CC Kenneth takes this

  • Enhance twiki config file and .htaccess default to contain commented out error document redirects to reset password and a static html doc in the root.
  • Create the static html file
  • Update ApacheConfigGenerator so you can choose between 3 settings
  • Update installation guide accordingly
-- TWiki:Main.KennethLavrsen - 18 Jun 2007 It makes no sense to try and create a static html file. I have added the two options TWikiRegistration and ResetPassword. Also to the ApacheConfigGenerator. If people want a static html they will want something different in each case. The discussion on the load this creates from search engines is more relevant for the 404 message (not found) and this is not the one we talk about here.

-- TWiki:Main.KennethLavrsen - 27 Aug 2007

(PS pasting signature in here also makes the TinyMCE jump to near the top of the topic. Grrr!)


Cleaned "WaitingFor" field.

-- TWiki:Main.GilmarSantosJr - 10 Aug 2008

ItemTemplate
Summary Document how to reset a password with ApacheLogin
ReportedBy TWiki:Main.CrawfordCurrie
Codebase

SVN Range TWiki-4.1.2, Sun, 13 May 2007, build 13714
AppliesTo Engine
Component Documentation
Priority Urgent
CurrentState Closed
WaitingFor

Checkins TWikirev:13740 TWikirev:13741 TWikirev:13742 TWikirev:13750 TWikirev:14638
TargetRelease minor
ReleasedIn 4.2.0
Edit | Attach | Watch | Print version | History: r19 < r18 < r17 < r16 < r15 | Backlinks | Raw View | Raw edit | More topic actions
Topic revision: r19 - 2008-08-10 - GilmarSantosJr
 
This site is powered by the TWiki collaboration platform Powered by PerlCopyright © 2008-2019 by the contributing authors. All material on this collaboration platform is the property of the contributing authors.
Ideas, requests, problems regarding TWiki? Send feedback