[Cosmo-dev] "Forgot Password" workflow
Matthew Eernisse
mde at osafoundation.org
Tue Mar 27 12:36:19 PST 2007
Should the token expire after some time if it's not used? What happens
if the users generates multiple tokens one after the other?
Not sure if we even care, but thought it might be worth mentioning.
Travis Vachon wrote:
>>
>> i don't like the problems that come with the old way of doing things.
>> i don't mind adding something to the data model to allow more secure
>> password changes.
>>
>> how about a PasswordChange entity with a randomly generated token and
>> an association to the User? then the cmp url could be
>> /account/password/change/<token>. this url would be generated by the
>> server and emailed to the user. attackers would either have to
>> intercept the email (which is of course fully possible) or guess the
>> token to build the password change url.
>
> I agree, and this sounds like a better design than the alternative, so
> I'll be moving forward with this.
>
> -Travis
> _______________________________________________
> cosmo-dev mailing list
> cosmo-dev at lists.osafoundation.org
> http://lists.osafoundation.org/mailman/listinfo/cosmo-dev
>
More information about the cosmo-dev
mailing list