2017-11-17 10:13 GMT+01:00 Aleksey Qwerty <russian.qwe...@gmail.com>: > Hi Clément, > > Thank you for prompt response! > > I made sure I have $keyphrase set. If I'm not mistaken it's required even > for basic functionality. Otherwise you will see an error on the main web > page. > > $keyphrase = "testsecret"; > > After changing $crypt_tokens to false it started working! The next obvious > question is How safe is that solution? Would you recommend to use it in > production? If not, should we try to fix the issue with encryption library? > Please advise.
This is not very risky, as the token is sent in the mail. We crypt it only to not display the raw PHP session in the mail. The token crypt is mandatory only if you use the reset by SMS feature. > > FYI, I've noticed few minor issue in the log file > (/var/log/httpd/ssp_error_log) when I opened a link with the token to setup > a new password: > > [Thu Nov 16 22:42:04 2017] [error] [client 192.168.1.100] PHP Notice: > Undefined variable: source in /usr/share/self-service-password/menu.php on > line 25 > [Thu Nov 16 22:42:04 2017] [error] [client 192.168.1.100] PHP Notice: > Undefined variable: source in > /usr/share/self-service-password/pages/resetbytoken.php on line 213 > [Thu Nov 16 22:42:51 2017] [error] [client 192.168.1.100] PHP Notice: > Undefined variable: source in /usr/share/self-service-password/menu.php on > line 25, referer: > http://testsrv1.example.com/index.php?action=resetbytoken&token=blablablablabla These are only warnings, nothing to worry about. Clément. _______________________________________________ ltb-users mailing list ltb-users@lists.ltb-project.org https://lists.ltb-project.org/cgi-bin/mailman/listinfo/ltb-users
