Password Recovery sending email to Users old email address
Recently one of our users had forgotten their password and so were trying to reset their password via the "forgot your password" link that is built into the Sitefinity Login Widget. The problem however was that they were not receiving the "Password Reset" email which meant they weren't able to reset their password. After some digging around, it turns out their user email address had been updated at some point prior to this and the "Password Reset" email was being sent (or trying to be sent) to their old email address!
Upon further digging, I discovered that their old email address was being pulled from a table called "sf_notif_subscribers". So basically it seems that when somebody goes through the "forgot your password" process, it uses the "sf_notif_subscribers" table to find the users email address. The trouble is that this particular users email address is different in that table to their email address in the "sf_users" table.
I've been able to replicate this behaviour by performing the following steps:
1. Click on the "forgot your password" link, then enter the users email address and submit (I used the "smtp4dev" program to capture the emails being sent). This action inserted a new record into the "sf_notif_subscribers" table with the users current email address. There's no need to actually go through with the rest of the reset password process at this point as it makes no difference to the outcome.
2. Go into Sitefinity backend and update the same users email address. For me, the users email address gets updated in the "sf_users" table but not in the "sf_notif_subscribers" table.
3. Go back to frontend and go through the "forgot you password" process again for that same user, and it will try to send an email to the old email address.
This is happening in version 6.1, however I've also tried it in version 7 and it seems to be fixed. Upgrading the clients website from 6.1 to 7 is probably not a option at this point however. Does anyone know how to fix this?
Hello Gavin,
I was able to reproduce the issue on a 6.1 project and indeed the email is still being sent to the first registered email address.
However, the issue is resolved and the password reset works correctly in Sitefinity 7.0. I have recorded a video following the steps you described and the email is sent to the current - correct email address.
Regards,
Nikola Zagorchev
Telerik