Developer forum

Forum » CMS - Standard features » Problems with password reset when multiple users have the same email address

Problems with password reset when multiple users have the same email address

E-mail notifications
Sean Meade
Reply
Posted on 13/07/2016 22:29:50

In our experience, it is typical with customer databases for there to be duplicate users that have the same email address.

When they need to reset their password, they get an error message like this:

We did not find an account associated with that email. Please try a different email or create a new account.

We are wanting to know if these is a way to handle this situation better. The message is in fact not true. The problem is not that there are NO accounts. That problem is that there are MULTIPLE accounts.

One idea we had was to send an email including a list of user names that have that email address.

What we really want is a way for this to not be a dead end. Otherwise, the user has to contact customer service or someone with access to the backend to clean up their users.

Any thoughts on how to improve this?

Thanks,

Sean Meade, CAPM, DWNA

 


Replies

 
Nicolai Høeg Pedersen
Posted on 14/07/2016 12:36:23
Reply

Hi Sean

Looking at the code that handles forgot password feature, it sends an email to each record in the database where the email matches.

There is one check though - if you have multiple users with the same email address, and you add the forgot password feature to a page that has extranet permissions that the users with the email address do not have access to, it will return as the user was not found.

So, I think we need to take a look at the actual implementation to find the issue (you can investigate by your self, or provide us with a URL)

BR Nicolai

 
Scott Forsyth
Posted on 31/07/2016 04:21:02
Reply

Hi Nicolai,

The template provided in the empty solutionset has a check within the template that prevents this from working if there is more than 1 account found:

        <!--@If(UserManagement:User.Login.FoundUsersCount=0 || UserManagement:User.Login.FoundUsersCount>1)-->
        <div class="info-pane error">User not found!</div>
        <!--@EndIf-->

That's from a fresh download from the developer portal. (\Files\Templates\UserManagement\Login\password_recovery.html). We have an updated Razor version that we use, but it has the same issue.

When I remove that check for FoundUsersCount > 1, there is a postback to the same page but it doesn't return the expected data and it doesn't send the email.

When outputting the POST data after submitted the email address, it's the same for each:

ForgotPasswordMailTemplate Login/PasswordRecoveryEmail.html
ForgotPasswordSenderEmail noreply@company.com
ForgotPasswordMailSubject Denville - Recover password
AccessUserEmail email_with_1_occurance@domain.com
LoginAction Recovery

This works, and the logic for UserManagement:User.Login.Action is correctly set to "RecoveryLinkSent" in the template, so even though the POST data shows LoginAction = Recovery, the template tags were able to determine that it's a successful submission. 

However, with the other email address, it doesn't work. The POST data looks like this:

ForgotPasswordMailTemplate Login/PasswordRecoveryEmail.html
ForgotPasswordSenderEmail noreply@company.com
ForgotPasswordMailSubject Denville - Recover password
AccessUserEmail email_with_many_occurances@domain.com
LoginAction Recovery

And UserManagement:User.Login.Action is set to "Recovery" in the template tags.

So it seems that it's not handling the multiple accounts with the same email, or at least not as I would assume.

Thanks,

Scott

 
Søren Bremholm Jakobsen
Posted on 28/11/2018 12:22:43
Reply

Hi,

we are expiriencing the same as above - multiple accounts with the same email where recovery mails are not send. I can reproduce this on a version 8.9.2.21 and 8.8.1.6. Have tried to remove the UserManagement:User.Login.FoundUsersCount>1) check in the template but then no error message is displayed and recover email is not send.

Any fix for this?

Thanks, Søren

 
Nicolai Pedersen
Posted on 28/11/2018 12:57:07
Reply

Hi Søren

If you use the usermanagement module recover password feature, it will not send recovery mails if more than one user shares the same email. Probably because the system does not know who to reset - one might work, another not...

It is the same on 8+9.

If you use recover password from layout template instead, it should work.

I've just made a chance, TFS#58119, that will reset password on all users using that email address. Not sure that is a good idea - you could end up resetting users that should not be...

Attached find an unofficial dynamicweb.dll for the latest 8 that have removed this check. See if it works. But still not sure we want it this way as it could cause lots of problems.

 

You must be logged in to post in the forum