Securing the password recovery experience in Sitecore 8

Following my post on password recovery in Sitecore 8 fellow Sitecore MVP Kam Figy pointed out how the default Sitecore implementation potentially can be used by a malicious individual to block an editor from logging in by resetting their password automatically.

This can be done simply by creating a script that request a new password for a known user name once every x minute/second. That would really annoy the victim and potentially also cause business havoc.

I can understand why Sitecore has not focused on this vulnerability due to the big differences in customer setups. The client login screen will in some cases be public available and in other cases be within a corporate network etc. If the Sitecore client is public available then password recovery can be completely turned off.

Anyway he makes a really good point so here is a quick and dirty implementation that sends out a mail with a confirm link before sending out an email with a new password.

First we do some configuration re-organizing.

We copy paste the old passwordRecovery pipeline and call the new one confirmedPasswordRecovery

The reason for this is that we still want to execute the exact same pipeline when the user has confirmed that he requested password recovery.

Then we modify the passwordRecovery that is executed by the Sitecore login page:

We replace the GeneratePassword with a processor called GenerateToken for generating and storing a token on the user profile:

To make this work you need to add a field called PasswordToken on the user profile. See Brians post on doing this setting custom properties on Sitecore user profiles.

Then I’ve placed the common key for the token in a constants struct:

And then we replace PopulateMail with PopulateConfirmMail  that populates a html email with a confirm link.

 

Do not hardcode html in code like this. It is only intended as example.

Notice the confirm link that we create, this is for a ApiController with a HttpGet method that expects a username and a token.

This controller executes the new (old) confirmPasswordRecovery pipeline, then deletes the token and redirects to the login page.

We need to register the route so we create a processor for the initialize pipeline:

And patch it into the initialize pipeline:

And voila, the new confirm email looks like this:

confirm_mail

When the link is clicked a new email is sent with a new password for the user.

Right now it simply returns a 200 and no redirect to the login screen or anything. This would not really be ideal without showing a message. One might argue that a better solution would be to make a new reset password page that verifies the token and the username combo and then allow the user to type in a new password. But this is not how I made it, I prefer to do it all in pipelines, no new .aspx files.

And the password recovery mail is the standard one that you can modify in the core database on the item /sitecore/system/Settings/Security/Password recovery/Password Recovery Email

That should be it. Please refactor the code before using it in a production environment.

 

Anders Laub

Anders Laub Christoffersen

Anders has been working with Sitecore for over a decade and has in this time been the lead developer and architect on several large scale enterprise solutions all around the world. Anders has been nominated a Sitecore Technical MVP three years in a row for 2014, 2015 and 2016. Anders is now working as a Sr. Solutions Architect at Sitecore in Copenhagen.

One thought on “Securing the password recovery experience in Sitecore 8

  1. Thanks for making this and sharing Anders. Too bad Sitecore doesn’t take pull requests 😉

Leave a Reply

Your email address will not be published. Required fields are marked *

*
*
Website