4.2.2 User Require Password reset doesn't work

[morefriendm]

1. Please login to https://discvrmas.periopmedicine.org.au
2. login with user: testuser password: 12345678
3. I have already enabled "Require Password Reset" for the above user.

Expected result

The user profile page should be loaded to change the user's password

Actual result

Page redirect logged in home page rather than user profile to change the password

System information (as much as possible)

J4.2.2 PHP 8.0.23 Default Joomla template

Additional comments

[chmst]

confirmed, the user is logged in. The profile with request for changing the password comes with the next click. 3.10 and 4.0 work as expected.

[alikon]

confirmed, i would like to ping @nikosdion he can check better than me if we can exclude MFA

[nikosdion]

On it. I think I know where the problem lies.

[nikosdion]

Looking at how the require password reset works I will say that we MUST check for Multi-factor Authentication before allowing the user to change their password.

Joomla does not use the password reset flow for resetting a password in this case, it gives full and unrestricted(!) access to the user profile edit page. This means that anyone who knows the user's old password can log into the site, see the user's personally identifiable information and even disable, change or add Multi-factor Authentication and WebAuthn Passwordless Authentication methods. That is to say, they can do a complete account takeover.

We use the Requires Password Reset feature when we provide a user with a temporary password which is transmitted over insecure transports (e.g. email, phone, ...) or when we suspect the user's password is compromised. If by doing so we also disable the MFA protection of that user's account we are exposing them to danger!

If there is a legitimate use case where the user has forgotten their password, they don't have access to their MFA Method and we need to convey a temporary password over an insecure transport the correct process would be this:

• Super User goes into the user's account, Multi-factor Authentication tab and disables MFA with the handy Turn Off button.
• The Super User then goes to the first tab, enters a temporary password and sets Requires Password Reset to Yes, then clicks on Save & Close.
• The Super User contacts the user with the temporary password.

As a result I would close this as Won't Fix because the problem is not with MFA but the way Requires Password Reset is implemented. This feature needs to deny the user access to the site, instead redirecting them to the Forgot Your Password page with a message that they are required to go through the password reset process. For that, I'd recommend opening a different issue.

[morefriendm]

Thanks @nikosdion. We are using the "Require password reset" feature, so that when users first login, they need to setup their password and profile details if needed. At the moment, even if all MFA is disabled, it's not redirecting to the profile edit page.

[ahvink]

What's the status on this at the moment ?

---

_{This comment was created with the J!Tracker Application at issues.joomla.org/tracker/joomla-cms/38788.}

[Mika17420]

Is there a solution to solve this problem punctually?

[Mika17420]

Why this bug is on removed label ? The problem persists

---

_{This comment was created with the J!Tracker Application at issues.joomla.org/tracker/joomla-cms/38788.}

[nikosdion]

@Mika17420 Read my comment from September: https://github.com/joomla/joomla-cms/issues/38788#issuecomment-1253440628

The original poster did open a new issue (https://github.com/joomla/joomla-cms/issues/38806) so someone would fix the way Requires Password Reset works… but it was closed as a duplicate of this issue, even though the body of the issue clearly referenced this issue (therefore my comment).

I would recommend someone opening a ticket with the title "Requires Password Reset does not work with users who have MFA enabled" and the content "The Requires Password Reset feature needs to deny login to the site and ask the user to go through the password reset (instead of trying to redirect them to the password reset page) when MFA is enabled for this user. For the reasoning see https://github.com/joomla/joomla-cms/issues/38788#issuecomment-1253440628".

Then, and only then, someone might actually take the 2 minutes it needs to understand the issue and the 10 minutes it takes to fix it…

[coolcat-creations]

I experienced the same bug in backend. When Password reset is set to yes and the user is using 2FA he is caught in a redirect loop.

[nikosdion]

@joomla/joomla-experience-team-jxt I believe this qualifies as a UX issue. Please see my comment from five months ago — read the last paragraph for the proposed solution.

[coolcat-creations]

I hope I did not misunderstood you, I created the issue like suggested. Thank you

[KeesZNL]

Having just upgraded from 3.10.11 to 4.3.2 I am experiencing the same problem. The user who is required to enter a new password must first click on the welcome page before the form appears where the password can be changed. This issue talks about MFA users. That is not applied in my site. I am new on github referred by NL Joomla Forum. Where is the best place to report this issue? Does anyone know an interim solution, because it is impossible to explain to 60 users that member information is visible before the mandatory changed password has been entered.

sorry for my bad English

[petervukovic]

This bug still exists in 4.4.4 and presents a serious security risk. Is there any news on resolution?

[pl71]

Joomla 5. Brand new test site with test data on Xampp for Windows. Created new user with Password Reset Required. Users can log in without a password reset. In the backend: