Hello,
I am trying to develop a form where a user will enter their username or email address on a page not hosted under the Moodle environment, which will be sent to the Forgot Password page in Moodle for processing.
I have it working when I use a real session key that has been assigned to me. However, when if I put any random session key number (which shouldn't be done anyhow) the form keys me an invalid session key error.
Is there any way to get around using a session key for this? Maybe a default session key to be used? Or removing the need for a session key on this page? Any type of help would be greatful. I don't see why a user who isn't logged in (they don't even know their password) and is being taken to this Moodle page (for the first time possibly) would need a session key.
Here is the code im trying to use now...
<form action="https://moodle.mysite.com/login/forgot_password.php" method="post" accept-charset="utf-8" id="mform1" target="_blank">
<input name="MAX_FILE_SIZE" type="hidden" value="524288000" />
<input name="sesskey" type="hidden" value="WoLX2qSUUH" />
<input name="_qf__login_forgot_password_form" type="hidden" value="1" />
Username: <input name="username" type="text" id="id_username" size="20" class="inputtext"/>
<br>
Email: <input name="email" type="text" id="id_email" size="20" class="inputtext"/>
</form>
Can anybody help me with this?
What you are trying to do is indistinguishable, from the Moodle server's point of view, from the type of hack attack that sesskey is designed to prevent.
WHy can't they just type their username into Moodle's forgotten password form?
WHy can't they just type their username into Moodle's forgotten password form?
Hello Tim,
Thank you for your response. I completely understand the need for session keys used in pages within the Moodle environment. However, I don't see a need for a session key for a user who is not even logged in and is trying to get their password emailed to them. Can you (or someone) briefly explain the need for this on the Forgot Password page?
Let me be a little more specfic. The problem is that our organization is temporarily using multiple Learning Management Systems during a testing phase, to see which one students and faculty prefer. We have a single login page for these LMS', in order to make it easier for our users to reach both of them at a single URL. For example, from this single login page the user can sign in to either Blackboard or Moodle.
We would also like to have a single forgot password page, where the user can either get their Blackboard or Moodle password. I have 2 "forgot password" forms on the the page, one for Blackboard and one for Moodle. The Blackboard one works perfect. However, the Moodle one is giving the session key error.
Would it be a secuity flaw to remove the need for a session key ONLY from the Forgot Password PHP code in the Moodle environment?
And I know this is most likely impossible, but is there a way to get around this without editing the PHP code?
Thanks again for your help.
Regards,
Robert
Thank you for your response. I completely understand the need for session keys used in pages within the Moodle environment. However, I don't see a need for a session key for a user who is not even logged in and is trying to get their password emailed to them. Can you (or someone) briefly explain the need for this on the Forgot Password page?
Let me be a little more specfic. The problem is that our organization is temporarily using multiple Learning Management Systems during a testing phase, to see which one students and faculty prefer. We have a single login page for these LMS', in order to make it easier for our users to reach both of them at a single URL. For example, from this single login page the user can sign in to either Blackboard or Moodle.
We would also like to have a single forgot password page, where the user can either get their Blackboard or Moodle password. I have 2 "forgot password" forms on the the page, one for Blackboard and one for Moodle. The Blackboard one works perfect. However, the Moodle one is giving the session key error.
Would it be a secuity flaw to remove the need for a session key ONLY from the Forgot Password PHP code in the Moodle environment?
And I know this is most likely impossible, but is there a way to get around this without editing the PHP code?
Thanks again for your help.
Regards,
Robert
OK. That makes sense.
Acutally, you are right, this is a general problem with formslib.php. Another situation where this arises is in reports that use a moodle_form for their settings. You would like to be able to bookmark a particular view of the report, but you can't because the URL contains your sesskey.
This has been reporrted as MDL-17252, but no one has fixed it yet.
If you just want a quick and dirty hack for your site, look in lib/formslib.php, in the _process_submission method. (http://cvs.moodle.org/moodle/lib/formslib.php?view=markup&pathrev=MOODLE_19_STABLE)
Add && $this->_formname != 'login_forgot_password_form' to the if (!confirm_sesskey()) statement.
Acutally, you are right, this is a general problem with formslib.php. Another situation where this arises is in reports that use a moodle_form for their settings. You would like to be able to bookmark a particular view of the report, but you can't because the URL contains your sesskey.
This has been reporrted as MDL-17252, but no one has fixed it yet.
If you just want a quick and dirty hack for your site, look in lib/formslib.php, in the _process_submission method. (http://cvs.moodle.org/moodle/lib/formslib.php?view=markup&pathrev=MOODLE_19_STABLE)
Add && $this->_formname != 'login_forgot_password_form' to the if (!confirm_sesskey()) statement.
Thanks again Tim. That improvement request article is pretty much what I was referring to. And yesterday I had a chance to do something similar to what you stated above, by editing the lib/formslib.php file so that the session key wouldn't be needed for the Forgot Password page. The way you suggest seems much easier, I think I will go back and implement it that way.
Does anyone see a security flaw in this that I might be overlooking?
Does anyone see a security flaw in this that I might be overlooking?