I'll try to be as brief as possible. I have purchased a login script and I've pulled it apart. It all works nicely except for this one thing.
The user logs in with their email address, and there is a forgot password page so that the user can reset their password by entering their email address. Trouble is, it sets an activate flag in the db to false and is only returned true when the user clicks on the link generated in their email address and resets their password.
This works great however, here's the thing. Let's say some unruly person knows the email address of the user he can cause havoc by requesting a password reset thereby getting the user to reset their password.
That unruly person won't be able to access the other person's account or anything but they could just cause an inconvenience by requesting a password reset all the time. How do I go about preventing this.
What would be the logic?