Password Reset Token Issue
The SBA Application enables an end-user to reset or change a password using “Forgot Password” https://certify.sba.gov/users/password/new URL. End-user can change the password for security reasons or reset it if forgotten. The password reset URL contains a token with special characters. Some email clients will decode/encode it differently. As a result, the token is retrieved by the end-user can be different from the one in the SBA Application.
Verify Token issue
Ask the end-user for the password reset URL
Check the URL contain any non-ASCII characters like %3d, %2a in the URL like the one below
http://certify.sba.gov/users/password/edit?reset_password_token=ZgZDcdJ2MeBlJ5K8uzmV4g%3D%3D%2A1MnWe
Copy and paste the token ZgZDcdJ2MeBlJ5K8uzmV4g%3D%3D%2A1MnWe on the left box
Remove We at the end of the token “ZgZDcdJ2MeBlJ5K8uzmV4g%3D%3D%2A1Mn”
Click Decode URL
The decoded token will show on the right box ZgZDcdJ2MeBlJ5K8uzmV4g==*1Mn
Give the customer the correct token with the URL to reset the password
http://certify.sba.gov/users/password/edit?reset_password_token=ZgZDcdJ2MeBlJ5K8uzmV4g==*1Mn
Confirm with the end-user if the password reset success or failure with the decoded token.
Email Hosting companies create token issue are:
highway
End-user requests password reset email. (User must have a valid email on SBA Certify)
Go to https://certify.sba.gov
Click Login (Blue button on the middle of the page)
Click Forgot Your Password (Red Button)
Enter a valid email address and click send the instructions button in blue
End-user check his/her email
Click the reset URL in the email to reset the password