How does standard 'send password' actually work


I've noticed something has changed when you use the 'send password'-functionality in service: 
This send an email with a link ( [[loginUrl]] ) , and when a customer clicks on it they open the customer center with a valid custsessionkey/session. The url looks something like this:
I guess the token gets exchanged for a custsessionKey somewhere down the line. 

Now, you are unable to navigate around untill you have actually set a new password, and im wondering what is actually deciding this. Is it a part of the sessionkey? 

I've created a custom CC and i've created a simple logout-method that can be called from a button on my page: 

  AddHttpHeader("set-cookie", "custSessionKey=; expires=Thu, 01 Jan 1970 00:00:00 GMT");
  result.message = "Logout ok!";
  result.message = "Error logging out..";

This only logs the customer out and sets the custSessionKey to expired, and works as expected as long as i've logged in normally on the CC. 

When i get the custsessionkey from the 'send password' i have no success on actually logging myself out and i expect this has something to do with the 'you have to set a new password first'-stuff thats going on. 
If i go into cookies and remove the custsessionKey manually i'm logged out as expected, so i'm unsure what prevents my script from setting the expired-date to something invalid. 

My question is how is this all connected so i can better understand how to work around this issue. 


RE: How does standard 'send password' actually work

You are right, the token is exchanged for custSessionKey (as you can see from the cookies). But this session key is restricted to only have access to limited number of funtionallity in the Customer Center. In the table "login_customer", you can find these session keys, and there is a field called "origin". If the value of this is "3", that means that this session key is a "change password session key".

So to the question about your "logout" button that does not work in this case. What action are you calling when clicking the "logout"? My guess is that you are not allowed to call that action when having this restricted type of session key.

But I also see that calling "?action=logout" does not remove this special kind of session. I think it probably should, and we should look into this. If that is fixed, you could simply call that URL?

Av: Stian Andre Olsen 11. jan 2021

RE: How does standard 'send password' actually work


Thank you for clarifying :) 

Im using the safeParse-action through an XMLHTTPRequest:'POST', '" + getProgramCustomer() + "&action=safeParse&includeId=' +'includeid') + '&key=' +'key')); 

It actually looks like it is not executed, so you are correct that this is not allowed as long as i have this 'special-cookie'. 

"?action=logout" should remove it, yes, and i notice you should edit the default changeCust.thml as well. 
Click 'preview as html': 

Follow url: 

The option 'logg out' does not work, as you have a restricted cookie: 

If i'm not allowed to execute custom endpoints with a restricted cookie in my browser i guess "?action=logout" will have to do.
It need to remove the cookie and clean up the table though, as my main issue to begin with was that i get a new row in "login_customer" for each logon:

#setLanguageLevel 3;

SearchEngine se;
se.addFields("login_customer", "id,customer_id,session_key");
se.addCriteria("login_customer.customer_id", "Equals", "26493"); //26493 = my user
  printLine("id: " + se.getField(0) + ", customer_id: " + se.getField(1) + ", sessionKey: " + se.getField(2));

This gives me the result: 

My custom endpoint handles this by deleting all rows for the customer_id, but i'm unsure if SuperOffice eventually deletes these(?)

Is there a default endpoint that accepts a form with username and password, and just sets the cookie? 
Not really sure how i can use "?action=login" and "?action=logout" in a my custom CC, as everything is inside CRMscript and i havent included anything in the default .html-files.. Whenever i have tried using these i get routed back to the default CC, and if i e.preventdefault() and handle the stuff myself it looks like you return a whole webpage.. 



Av: Eivind Johan Fasting 11. jan 2021