[Cosmo-dev] "Forgot Password" workflow
Travis Vachon
travis at osafoundation.org
Wed Mar 14 10:36:55 PST 2007
>
> i don't like the problems that come with the old way of doing things.
> i don't mind adding something to the data model to allow more secure
> password changes.
>
> how about a PasswordChange entity with a randomly generated token and
> an association to the User? then the cmp url could be
> /account/password/change/<token>. this url would be generated by the
> server and emailed to the user. attackers would either have to
> intercept the email (which is of course fully possible) or guess the
> token to build the password change url.
I agree, and this sounds like a better design than the alternative,
so I'll be moving forward with this.
-Travis
More information about the cosmo-dev
mailing list