Symfony, wrong user logged by reset-password link

Question

On my platform, the administrator create a user where the password is randomly generated and this automatically sends an email to this new user. The email contains a link that leads to the reset-password page (which will be a password creation page for the user because he does not know that he already has a password generated).

The problem is that when the user clicks on the email link and arrives on the change password page, he is logged in as admin and therefore has permissions that he should not have.

In fact, I want the email link to connect the new user to his account, I don't want him to be logged in as admin. I'm not sure how to do this.

I don't know much about tokens. I believe the Token is generated based on the session used (?).

Thank you in advance for your help.

Here is the code for creating a user :

/**
     * @Route("/new", name="user_new", methods={"GET", "POST"})
     * @throws TransportExceptionInterface
     */
    public function new(Request $request, MailSender $mailSender,UserPasswordHasherInterface $passwordHasher): Response
    {
        // TODO CHECK IF USER ALREADY EXISTS BY EMAIL
        $user = new User();
        $form = $this
            ->createForm(UserType::class, $user)
            ->handleRequest($request);

        if ($form->isSubmitted() && $form->isValid()) {

            // TODO GENERATE RANDOM PASSWORD
            //$passwordHasher->hashPassword($user, $user->getPassword()));
            $user->setPassword($passwordHasher->hashPassword($user, "password"));
            $this->entityManager->persist($user);
            $this->entityManager->flush();

            try {
                $resetToken = $mailSender->makeToken($user);
            } catch (ResetPasswordExceptionInterface $e) {
                return $this->redirectToRoute('user_new');
            }
            $mailInfos = array('template'=>"reset_password/email_activate.html.twig", 'subject'=>"Activer votre compte", 'email'=>$user->getEmail());
            $mailSender->sendMail($resetToken, $mailInfos);
            $mailSender->storeToken($resetToken);

            return $this->redirectToRoute('user_index', [], Response::HTTP_SEE_OTHER);
        }

        return $this->renderForm('user/new.html.twig', [
            'user' => $user,
            'form' => $form,
        ]);
    }

Did you log out of the admin account before testing the email link? — john Smith, Jan 05 '22 at 10:32
No I don't. Would it be necessary? Log out before click on the link or before send the mail ( it creates the token) ? — Lino, Jan 05 '22 at 10:45
I´d say it´s necessary, in a "real life example" a new generated user wouldnt be logged in as admin in your app too, right? What class is `MailSender ` ? — john Smith, Jan 05 '22 at 11:33
MailSender is a service I created to send an email, generate and store a token. I don't understand why the admin needs to log out. If the admin is logged in on the platform, another user can also be logged in on a new browser tab, right? — Lino, Jan 05 '22 at 12:15
i mean Its only necessery if you are logged in as admin in the same browser session! If you open the email link in a private tab where u are not logged in, are u then being logged in as admin as well? Because then we need to see your code how u generate the token. E.g No u cant be logged in with several different users in different tabs because all tabs share the session — john Smith, Jan 05 '22 at 13:04
Indeed in private navigation the session is not established. I think I did not quite understand the user session / login system ... I need to see this in more detail I did not know that the tabs share the same session — Lino, Jan 05 '22 at 13:24

john Smith · Accepted Answer · 2022-01-05T13:40:21.973

This is expected behaviour because:

multiple tabs/instances of the same browser will usually share the same server-side session when interacting with the same domain.

means that you can´t be logged in with different users in different tabs per default.

And I don´t think that you would want this, just think of the downsides, do you really want to login again for every tab? This is very uncommon practice. Imagine you would open a stack-overflow question in a new tab and you would not be logged in there.

There are ways to achieve this though, but really re-think if thats your actual usecase, i don´t think so, you are just developing your feature and testing it, and in production a new user will not be already logged in as admin is my assumption.

So for testing your feature just use a private tab (that does usually not share the same server-side session )

if you want to learn more i found this pretty cool so-thread where users try to explain as best as possible What are sessions? How do they work?

Thank you very much ! You just got me out of a few hours of testing which in fact was useless because I believed that the session could be different on several tabs. The link works well in private browsing: the session is not that of the admin :D This is good to know! — Lino, Jan 05 '22 at 13:45
If you want to have unique session per tabs for testing purpose, you may add Chrome Extension to your web browser to handle it (available on firefox and other web browser to). On Chrome I use SessionBox which is correct with free plan. — Skunka, Jan 05 '22 at 15:14

Symfony, wrong user logged by reset-password link

1 Answers1