How does Joomla's Password Reset feature work?
Joomla's Password Reset feature asks for the user's email address which it checks for in the user account table against that user's record. If found a unique token (a long series of numbers & characters) is generated and this is sent to the email address with a link back to the correct page on the website where the token needs to be entered to complete the process and allow the user to reset their password.
What went wrong?
Unfortunately, the email sent to the user displays the token in this manner : The token is 408ebfa6c89glda0d267543e07a4cdeb4 . Notice the space before the period? Well, understandably, the user was copying everything upto the preiod, including the space and pasting it into the field provided on the website for the final step. Unfortunately, that extra space counts as a character and so the token did not match and the user received an error and was unable to complete the reset. Not good.The fixes
There are two fixes for this issue:- Format the email properly so there is less of a chance of user error;
- Run the submitted token through PHP's trim() function to strip out empty characters on either side of the token.
How to?
Format the email to remove the space
The first step requires us to amend the email that is sent out to the user. Joomla uses language files so it's quite easy to amend this message.
The reset password function is a part of the User Component in Joomla (com_user) so look up the correct file in the 'language' folder/directory : /WEBROOT/language/en-GB/en-GB.com_user.ini
Search for this text "PASSWORD_RESET_CONFIRMATION_EMAIL_TEXT" and edit the value of this setting by removing the space and period. I added newlines (\n) before and after the token (%s) so that the token displays on a line by itself. This has two advantages:
- Makes it clearer to the user if the token is on a line by itself
- Reduces the chance of user error when copying/pasting
Use trim() to remove whitespace
The second fix is the better one as it tackles the actual issue of readying the submitted token for comparison and matching.
In order to do this go to the following file : /WEBROOT/components/com_user/models/reset.php
Search for the text "function confirmReset($token)" and inside this function add the trim function like so:
function confirmReset($token)
{
global $mainframe; $token = trim($token);
........... function continues ...........
}
This will now remove all extra whitespace on either side of the token submitted by the user so that the 'clean' token is used for comparison.
And that's it - you will now have a sturdier Reset Password feature in Joomla.