Hi Clément, > This is not very risky, as the token is sent in the mail. We crypt it > only to not display the raw PHP session in the mail. The token crypt > is mandatory only if you use the reset by SMS feature.
Thank you for clarification, but can we try to fix the issue with crypto library? Do we have any newer version of /usr/share/self-service-password/lib/vendor/defuse-crypto.phar or something? 2017-11-17 1:26 GMT-08:00 Clément OUDOT <clem.ou...@gmail.com>: > 2017-11-17 10:13 GMT+01:00 Aleksey Qwerty <russian.qwe...@gmail.com>: > > Hi Clément, > > > > Thank you for prompt response! > > > > I made sure I have $keyphrase set. If I'm not mistaken it's required even > > for basic functionality. Otherwise you will see an error on the main web > > page. > > > > $keyphrase = "testsecret"; > > > > After changing $crypt_tokens to false it started working! The next > obvious > > question is How safe is that solution? Would you recommend to use it in > > production? If not, should we try to fix the issue with encryption > library? > > Please advise. > > > This is not very risky, as the token is sent in the mail. We crypt it > only to not display the raw PHP session in the mail. The token crypt > is mandatory only if you use the reset by SMS feature. > > > > > FYI, I've noticed few minor issue in the log file > > (/var/log/httpd/ssp_error_log) when I opened a link with the token to > setup > > a new password: > > > > [Thu Nov 16 22:42:04 2017] [error] [client 192.168.1.100] PHP Notice: > > Undefined variable: source in /usr/share/self-service-password/menu.php > on > > line 25 > > [Thu Nov 16 22:42:04 2017] [error] [client 192.168.1.100] PHP Notice: > > Undefined variable: source in > > /usr/share/self-service-password/pages/resetbytoken.php on line 213 > > [Thu Nov 16 22:42:51 2017] [error] [client 192.168.1.100] PHP Notice: > > Undefined variable: source in /usr/share/self-service-password/menu.php > on > > line 25, referer: > > http://testsrv1.example.com/index.php?action=resetbytoken&; > token=blablablablabla > > > These are only warnings, nothing to worry about. > > > Clément. > _______________________________________________ > ltb-users mailing list > ltb-users@lists.ltb-project.org > https://lists.ltb-project.org/cgi-bin/mailman/listinfo/ltb-users > -- BR, Aleksey Qwerty
_______________________________________________ ltb-users mailing list ltb-users@lists.ltb-project.org https://lists.ltb-project.org/cgi-bin/mailman/listinfo/ltb-users
