0

Hi guys,

I'll try to be as brief as possible. I have purchased a login script and I've pulled it apart. It all works nicely except for this one thing.

The user logs in with their email address, and there is a forgot password page so that the user can reset their password by entering their email address. Trouble is, it sets an activate flag in the db to false and is only returned true when the user clicks on the link generated in their email address and resets their password.

This works great however, here's the thing. Let's say some unruly person knows the email address of the user he can cause havoc by requesting a password reset thereby getting the user to reset their password.

That unruly person won't be able to access the other person's account or anything but they could just cause an inconvenience by requesting a password reset all the time. How do I go about preventing this.

What would be the logic?

Ta

3
Contributors
3
Replies
20
Views
3 Years
Discussion Span
Last Post by sieunhantanbao
0

What's the purpose of flipping the activate flag to off if a password reset is requested? The email should read:

You or someone else has requested a password reset for this email address. Click this link to change your password. If it wasn't you, then just ignore this email, and continue using your existing password.

1

yeah but potientially that person could send bajillions of email links to user. is that not an issue?

0

I think this is not an issue. That login module treats correctly. In your assumption, the errors belong to users because their email have been losed.
But with the systems that related to financial like internet banking, all transactions should be sent the confirmation (verify code) to the users phone, that is more security.

Edited by sieunhantanbao: modify

This topic has been dead for over six months. Start a new discussion instead.
Have something to contribute to this discussion? Please be thoughtful, detailed and courteous, and be sure to adhere to our posting rules.