Free Create links in ticket emails that auto login and go to the ticket

[eiden]

Quote:

I think that using LoginShare to tie into any system with sensitive usernames/passwords is a bad idea, because AFAIK LoginShare caches the username/password they enter in the MySQL database, and the password is in plain text! So if some hacker (or insider turned bad) got read-only access to the SupportSuite DB they would see all of the sensitive passwords that LoginShare cached. (This allows SupportSuite to send user their actual password if they forget it. Personally I think there should be an option to store the password in MD5/SHA1/SHA256 + salt in DB and if the user forgets their password to randomly generate a new one -- this is much more secure. Hence my decision to not use LoginShare.)

I have spent some hours to work around this problem by writing my own LoginShare. I only store encrypted (MD5) passwords in the DB. And I have disabled the "[Lost Password]" function. If the user forgets his/her password, the user can get a new from our main website. This password is of course randomly generated.

But there are some downsides with the LoginShare function. I have reported this bug/issue: http://bugs.kayako.net/?do=details&id=1499

[tm2000]

@khoffman

FANTASTIC!! This works great and makes it easy for our Clients.. THANK YOU!

[khoffman]

Perhaps it's just in base64 or something. Even if it's encrypted the key has to be embedded somewhere in the code. It's probably in the zend encoded portion, so it's probably a little bit harder to get at, but anything that is purely software based is fallable to inspection. A hacker with root access could core dump the process at just the right moment or perhaps use a kernel level debugger. So for some apps having it in the DB in some semi-private encrypted form may be OK, but for our app we opted to keep it separate. It's hard for kayako because they are trying to serve so many different audiences with one code base. So far I've been pleased and impressed with the options they do offer.

[AKL-MFCU]

yeah i agree, besides its the reason people hire security engineers more and more now. What used to be ultra secure is now open season and its hard to keep one up on everyone especially since many of the "crackers" are really just step children of true hackers- using software to do the work for them. Anything that makes it easier for people to log in is just one step easier for those who shouldn't be to get in, all i can say is put the firewall in front of your supportsuite and then hope that all they can do from there is brute force.

[Saltan]

khoffman wrote:

There are several other templates for ticket emails: email_autoclose, email_staffnewticket, email_staffreply.

It is very handy to add links to these HTML templates to allow the user to click and instantly see their ticket (with auto login).

However, for these templates we cannot add the u_passwd URL parameter -- that needs to be filled in by their cookie! That's because the $user[userpasswordtxt] variable is not populated when these templates execute.

Is there any way to popultate user password for these templates ?

[eMax]

I keep getting token errors no matter what I try.

Can you help me clean this up to work properly?

Quote:

<{$language[arsubfooter]}><a href="<{$swiftpath}>index.php?_m=tickets&_a=viewti cket &ticketid=<{$ticket[ticketid]}>&u_email=<{ urlencode value=$ticket[email]}>&u_passwd=<{urlencode value=$user[userpasswordtxt] }>&u_login=1&group=<{$ticket[tgroup]}><{if $settings[u_sendpw] == 1 && $user[userpasswordtxt] != "" && $user[loginapi_moduleid] == 1}">

Trying to put a active link in clients e-mails.

[tm2000]

Are you deleted you cache off your server after you save the templates? That ripped us up at first..

Post your ENTIRE modified code foe the auto-responder template and I'll look at it..

[eMax]

Quote:

Originally Posted by tm2000

Are you deleted you cache off your server after you save the templates? That ripped us up at first..

Post your ENTIRE modified code foe the auto-responder template and I'll look at it..

Using the normal code as posted int he first post in this thread works but the link is not active. So I tried to throw an <a in it as mentioned in a few post above. My code is above yours but when I use it get the following error which is returned to the sender (ticket is still created).

Quote:

Fatal error: TPL: [in email_autoresponder line 9]: syntax error: unidentified token '}">' (class.compiler.php, line 513) in /home/emaxmich/public_html/support/includes/SmartyLight/class.template.php on line 422

and yes the cache is totally emptied.

[tm2000]

I think your missing a tag or bracket.. This is our entire template.. Copy and Paste all of this and see what happens:

Code:

<p><{if $ishtml == true}><font face="Verdana, Arial, Helvetica" size="2">Hello,</font></p>
<p><font face="Verdana, Arial, Helvetica" size="2"><{$language[arintro]}><BR>
  <BR>
  &nbsp;&nbsp;&nbsp;<b><{$language[articketid]}></b><{$ticket[fticketid]}><BR>
  &nbsp;&nbsp;&nbsp;<b><{$language[arsubject]}></b><{$ticket[subject]}><BR>
  &nbsp;&nbsp;&nbsp;<b><{$language[ardepartment]}></b><{$ticket[department]}><BR>
  &nbsp;&nbsp;&nbsp;<b><{$language[arpriority]}></b><{$ticket[priority]}><BR>
  &nbsp;&nbsp;&nbsp;<b><{$language[arstatus]}></b><{$ticket[status]}><BR>
  <BR>
<a href="<{$swiftpath}>index.php?_m=tickets&_a=viewticket&ticketid=<{$ticket[ticketid]}>&u_email=<{ urlencode value=$ticket[email]}>&u_passwd=<{urlencode value=$user[userpasswordtxt] }>&u_login=1&group=<{$ticket[tgroup]}>"> <{$language[arsubfooter]}> </a>
<{if $settings[u_sendpw] == 1 && $user[userpasswordtxt] != "" && $user[loginapi_moduleid] == 1}>  <BR>
<BR><BR>
<{/if}>
  <BR>
  <{if $newscount != 0}>
  <{foreach key=newskey value=newsitem from=$news}>
  <b><{$newsitem[index]}>.</b> <a href="<{$swiftpath}>index.php?_m=news&_a=viewnews&newsid=<{$newsitem[newsid]}>&group=<{$ticket[tgroup]}>"><{$newsitem[subject]}></a><BR>
  <{/foreach}>
  <BR>
  <{/if}>
  <{$language[arfooter]}><BR>
  <BR>
  <{$settings[general_companyname]}><{if $queuesignature != ""}><BR>
  <{$queuesignature}><{/if}></font><{else}><{$ticket[fullname]}>,
  <{$language[arintro]}>
  
  <{$language[articketid]}><{$ticket[fticketid]}>
  <{$language[arsubject]}><{$ticket[subject]}>
  <{$language[ardepartment]}><{$ticket[department]}>
  <{$language[arpriority]}><{$ticket[priority]}>
  <{$language[arstatus]}><{$ticket[status]}>
  
  <{$language[arsubfooter]}><{$swiftpath}>index.php?_m=tickets&_a=viewticket&ticketid=<{$ticket[ticketid]}><{if $settings[u_sendpw] == 1 && $user[userpasswordtxt] != "" && $user[loginapi_moduleid] == 1}>
  
  <{$language[aremail]}><{$ticket[email]}>
  <{$language[arpassword]}><{$user[userpasswordtxt]}>
  <{/if}>
  
  <{if $newscount != 0}>
  <{foreach key=newskey value=newsitem from=$news}>
  <{$newsitem[index]}>. <{$newsitem[subject]}>
  <{$swiftpath}>index.php?_m=news&_a=viewnews&newsid=<{$newsitem[newsid]}>&group=<{$ticket[tgroup]}>
  
  <{/foreach}>
  
  <{/if}>
  <{$language[arfooter]}>
  
  <{$settings[general_companyname]}><{if $queuesignature != ""}>
  <{$queuesignature}><{/if}><{/if}></p>

[eMax]

hmmm...oddly enough that works but when you click the link to auto login to the helpdesk the client sees:

ERROR: You do not have enough permissions to access this page. Please login by entering your Email and Password.

[reDDevil]

Has anyone made this way of autologin worked with SupportSuite 3.00.32? I made everything as written in this topic and get the ticket links containing email and password inside:

HTML Code:

http://support.mydomain.net/index.php?_m=tickets&_a=viewticket&ticketid=12&u_email=mail%40mail.com&u_passwd=cf51f31e&u_login=1&group=holland

but clicking this link causes cyclic login procedure. I get a kind of auto-refresh of the following page

Quote:

Processing Login...
Please click here if your browser does not automatically redirect you

And each auto-refresh add to the link the following variables:
loginresult=0&group=holland&
so after some refreshes I get the following link in address bar

HTML Code:

http://support.mydomain.net/index.php?loginresult=0&group=holland&loginresult=0&group=holland&loginresult=0&group=holland&loginresult=0&group=holland&loginresult=0&group=holland&loginresult=0&group=holland&loginresult=0&group=holland&loginresult=0&group=holland&_m=tickets&_a=viewticket&ticketid=12&u_email=mail%40mail.com&u_passwd=cf51f31e&u_login=1&group=holland

The link "Please click here if your browser does not automatically redirect you" also contains that strange collected link
Any ideas?

[tm2000]

Hmm.. couple Qs:

- Are you using this as the Auto-responder? Only that one has both the username and password to login.. The other template require the entry (or remembered) password..

- Be sure you are logged out of support center.. before clicking on the link..

Quote:

Originally Posted by eMax

hmmm...oddly enough that works but when you click the link to auto login to the helpdesk the client sees:

ERROR: You do not have enough permissions to access this page. Please login by entering your Email and Password.

[eMax]

Quote:

Originally Posted by tm2000

Hmm.. couple Qs:

- Are you using this as the Auto-responder? Only that one has both the username and password to login.. The other template require the entry (or remembered) password..

- Be sure you are logged out of support center.. before clicking on the link..

I redid it with your code above and was 100% logged out of the admin and staff areas with windows closed. Sent a test e-mail and got the following back in the auto reply for the link:

Code:

https://emaxhosting.com/support/index.php?_m=tickets&_a=viewticket&ticketid=13479&u_email=user%40domain.net&u_passwd=5555555&u_login=1&group=default

and I still get the error as shown in the screenshot. I'm using v3.00.90.

[tm2000]

Check your code below.. It has to be here (from the 1st post):

Quote:

Originally Posted by khoffman

There has been a lot of talk on the forums about how to have links in auto respond ticket emails to automatically login AND show the ticket. This can't be accomplished via direct URLs. There's even a ticket bugged for it: http://bugs.kayako.net/?do=details&id=345

But I will show you how to do it today!

Overview: modify login form (in navbar template) to populate email address and password based on parameters in the get URL (using the undocumented $_TPL template variable). Then, have some javascript that automatically submits the form if username and password are not blank. Finally, modify email templates to add email / password to URL for ticket.

How to do it:
[list=1][*]Modify login form (in navbar template)

Login as in /admin, go to template, and edit General->navbar template.
Delete everything between

Code:

<!-- BEGIN LOGIN BOX -->

and

Code:

<!-- END LOGIN BOX -->

and replace it with the following:

Code:

					<!-- BEGIN LOGIN BOX -->
					  <tr class="tcat">
						<td width="1" align="left"><img src="<{$themepath}>space.gif" width="1" height="21"></td>
						<td width="1" align="left"><img src="<{$themepath}>blockarrow.gif" width="8" height="8"></td>
						<td valign="middle" align="left">&nbsp;<span class="smalltext"><strong><font color="#FFFFFF"><{$language[login]}></font></strong></span></td>
						<td align="right" width="130"><span class="smalltext"><{if $loginsharemodule != 1}>&nbsp;<{else}><a href="index.php?_m=core&_a=lostpassword" id="white"><{$language[lostpassword]}>&nbsp;</a><{/if}></span></td>
					  </tr>

					  <tr>
						<td bgcolor="#F5F5F5" colspan="4"><form name="loginform" action="<{$basepath}>" method="POST"><table width="100%"  border="0" cellspacing="1" cellpadding="2">
						  <tr>
							<td width="46%" class="smalltext"><{if $loginsharemodule != 1}><{$language[loginusername]}><{else}><{$language[loginemail]}><{/if}></td>

<{if $_TPL[GET][u_email] != ""}>
<td width="54%"><input type="text" name="loginemail" class="logintext" value="<{$_TPL[GET][u_email]}>"></td>
<{else}>
<td width="54%"><input type="text" name="loginemail" class="logintext" value="<{$cookieloginemail}>"></td>
<{/if}>
						  </tr>
						  <tr>
							<td class="smalltext"><{$language[loginpassword]}></td>

<{if $_TPL[GET][u_passwd] != ""}>
<td><input type="password" name="loginpassword" class="loginpassword" value="<{$_TPL[GET][u_passwd]}>"></td>
<{else}>
<td><input type="password" name="loginpassword" class="loginpassword" value="<{$cookieloginpassword}>"></td>
<{/if}>

							</tr>
						  <tr>
							<td class="smalltext"><{$language[loginrememberme]}></td>

<{if $_TPL[GET][u_passwd] != ""}>
<td><input type="checkbox" name="rememberme" value="1" checked>
<{else}>
<td><input type="checkbox" name="rememberme" value="1"<{if $cookierememberme == 1}> checked<{/if}>>
<{/if}>

						  </tr>
						  <tr>
							<td class="smalltext">&nbsp;</td>
							<td><input type="submit" name="Submit2" value="<{$language[login]}>" class="yellowbutton">                          </td>
						  </tr>
						</table><input type="hidden" name="_m" value="core"><input type="hidden" name="_a" value="login"><input type="hidden" name="querystring" value="<{$querystring}>"></form>
<{if $_TPL[GET][u_login] == "1" && !($_TPL[GET][loginresult] < 0) }>
						<script language="JavaScript"><!--
if (document.loginform && document.loginform.submit && document.loginform.loginemail && document.loginform.loginpassword){
	if (document.loginform.loginemail.value.length > 0 && document.loginform.loginpassword.value.length > 0){
		document.loginform.submit();
	}
}
						//--></script>
<{else}>
						<script language="Javascript">
						document.loginform.loginemail.focus();
						</script>
<{/if}>
						</td>
					  </tr>
					  <!-- END LOGIN BOX -->

[jamesM]

Quote:

Originally Posted by eiden

I have spent some hours to work around this problem by writing my own LoginShare. I only store encrypted (MD5) passwords in the DB. And I have disabled the "[Lost Password]" function. If the user forgets his/her password, the user can get a new from our main website. This password is of course randomly generated.

But there are some downsides with the LoginShare function. I have reported this bug/issue: http://bugs.kayako.net/?do=details&id=1499

You do know that MD5 hashes can be broken dont you ?

At some stage we will also use password audits eg so that password lenghts and password expires after a certian amount of time to bring it in to line with our other applications as well to try and improve security.