Project

General

Profile

Improvements #10668

change password token invalidation policy: too strict?

Added by Wim Dumon 5 months ago.

Status:
New
Priority:
Normal
Assignee:
-
Target version:
-
Start date:
07/15/2022
Due date:
% Done:

0%

Estimated time:

Description

A password token is invalidated immediately its link is accessed, even if the password was not changed. We got a user complaint that the password link always was reported to be invalid.

The logs show that the link was accessed multiple times from multiple IP addresses. Possibly these are intermediate email gateways checking included links for malware.

Would it be acceptable to invalidate password change links only after they were successfully used to change the password?

No data to display

Also available in: Atom PDF