search

bobosch / ods_ajaxmailsubscription

TYPO3 Extension Ajax mail subscription
0 stars 2 forks source link

Unsubscriblink not Working #2

Closed taunusweb closed 7 years ago

taunusweb commented 7 years ago

Hi, in TYPO3 7.6 the Unsubscriblink is not working, a wrong Hash seems to be submitted with the Newsletter: I'm using https:/mydomain.de/index.php?id=[myid]&u=###USER_uid###&t=###SYS_TABLE_NAME###&a=###SYS_AUTHCODE###

If i send a newsletter, i get this Link for unsubscribing: https:/mydomain.de/index.php?id=[myid]&u=1045&t=t&a=5e0e8446 but I get this Error Message: "Der Link ist abgelaufen. Ein neuer Link wurde Ihnen zugesandt. Eine Bestätigungs-E-Mail wurde Ihnen zugesandt." I get another Link and then the Hash is correct: ...?t=t&u=1045&a=5902f7f7ae9a83e6

Any Ideas? In TYPO3 6.2 everything worked fine.

bobosch commented 7 years ago

Hi!

this is standard behavior from the new version (also in the old T3 installation, check extension version) T3 security team forced the implementation, because otherwise it is possible to manipulate the user record with the static 8 character hash (###SYS_AUTHCODE###). Directmail don't offer another hash, so the extension has to resend a new hash. If you like you could disable this new feature for unsubscribing ( authcode_std = del ). Please write me again if you need this feature disabled...

taunusweb commented 7 years ago

Sorry, I have to ask again: I try to get a link in the Newsletter to this page:

bildschirmfoto 2017-05-10 um 08 43 08

Using "&u=###USER_uid###&t=###SYS_TABLE_NAME###&a=###SYS_AUTHCODE###" and "&u=###USER_uid###&t=###SYS_TABLE_NAME###&a=###SYS_AUTHCODE###&do=del"leads to

bildschirmfoto 2017-05-10 um 08 46 15

Any hint for me?

klodeckl commented 7 years ago

You have to set authcode_std = del in the typoscript setup, then it will work.

@bobosch: I did not understand clearly, so is it a direct mail problem? T3 security team forced the implementation of what?

bobosch commented 7 years ago

Yes, directmail cannot generate secure authorisation links, needed to change User setting. Unsubscription is possible with the mentioned TS option. Perhaps ajaxmailsubscription should extend directmail to generate secure links, but I am not an active T3 developer since years and have no time for this. T3 security team disallowed the authorisation (done  by ajaxmailsubscription) with the standard hash (used by directmail)

klodeckl commented 7 years ago

So that means this should be changed in direct_mail? Then I will make at least a feature request.

bobosch commented 7 years ago

Here the original comment from the TYPO3 Security Team

  1. The links (auth code) should work only once.
  2. The links (auth code) should expire after a defined time.