[Cosmo-dev] "Forgot Password" workflow
travis at osafoundation.org
Tue Mar 27 12:46:58 PST 2007
> Should the token expire after some time if it's not used?
Yeah, definitely, anyone have any thoughts on an appropriate default?
I think this is something that should be configurable in
cosmo.properties, any disagreements?
The way I'm implementing it users cannot use an expired token to
change a password, but expired tokens will remain in the database
until a user tries to use them. In the medium term we should probably
come up with a pruning strategy, but I don't think that's necessarily
needed for Preview. Thoughts?
> What happens if the users generates multiple tokens one after the
An email will be sent for each token with a different "password
recovery key" in each. At that point, either key will work for
resetting the user's password.
Once a key has been used, that key will be deleted, but any other
keys in the system that correspond to that user will still hang around.
More information about the cosmo-dev