Agent Password Reset Error

leastlund

We are just turning up our osTicket instance, and are having issues when we attempt an agent password reset. We are getting the reset email, and are able to successfully follow the link with the token remaining in the url. Once we put in a username or email address and hit enter the page seems to just refresh the same page and pulls the token from the url. For testing I have disabled rewrites in IIS, and the issue persists.

KevinTheJedi

leastlund

There is a known issue with authenticated sessions. You'll need to revert this commit:

https://github.com/osTicket/osTicket/pull/6766/commits/416b548bd812188fec62c89fe8bfb0a3128731a1

Remove what's highlighted in green and add what's highlighted in red. You'll need to kill all cache/cookies/sessions to ensure your Agents/Users are not hung up on broken sessions. You'll also need to restart your webserver and PHP-FPM if you're running it.

Cheers.

leastlund

I implemented the recommended changes, restarted the webserver, cleared all browsing data, and tried different browsers with the same results. Adding the section you recommended I modify just to make sure that looks as you intended.

  function __construct($name, $ttl = SESSION_TTL, $checkdbversion = false) {
        // session name/ssid
        if ($name && strcmp($this->name, $name))
            $this->name = $name;
	// Session ttl cannot exceed php.ini maxlifetime setting
        $maxlife =  ini_get('session.gc_maxlifetime');
        $this->ttl = min($ttl ?: ($maxlife ?: SESSION_TTL), $maxlife);
        // Set osTicket specific session name/sessid
        session_name($this->name);
        // Set Default cookie Params before we start the session
        session_set_cookie_params($this->ttl, ROOT_PATH, Http::domain(),
            osTicket::is_https(), true);

KevinTheJedi

leastlund

Yep that looks good. Have you tried from a completely new device and network to be certain it’s not session or browser/extension or firewall related?

Cheers.

leastlund

We tried this on two workstations with multiple browsers, and on the server itself with the same results.

KevinTheJedi

leastlund

Then that sounds like it's something different. Are you using Firefox by chance? If so, I know that it cuts off part of the URL making the token incomplete. Can you manually copy the URL from the email, pasting it in the browser, and try that way?

Cheers.

leastlund

We have tested with Firefox to replicate the issue, but each machine was initially tested with either Chrome or Edge.

I just tried copying the url in manually, but just as before it looks to strip the token after I enter the email address or username.

KevinTheJedi

leastlund

Does the Agent actually have a current password set? Login to the database, go to the _staff table, and check the passwd column to see if the specific Agent has a current password set. If not, they cannot "reset" their password because they don't have one currently set. The Admin will have to manually set one for them and enable the option to force them to change it on next login.

Cheers.

leastlund

This was initially mentioned to be by a co worker. I know they for sure have a password set now, but they may not have initially. Since that report I've been testing this with my own account that has a password set. If I go to the normal Agent login page after these attempts fail, I'm able to log in with my old credentials, go through 2FA, and then once I'm logged in it will ask me to update my password.

KevinTheJedi

leastlund

That is quite strange.. I think from here you'll simply need to debug the codebase. I'm not able to replicate this and if you're truly following my suggestions then it doesn't appear to be the most common culprits: session issues and link issues.

Cheers.

leastlund

I'm not sure what broke on my initial install, but I started over from scratch, configuring the same items I had the first time around (OAuth, and two Agents), and this is now working as intended. Thanks for the assistance though!