Uploaded image for project: 'XWiki Platform'
  1. XWiki Platform
  2. XWIKI-19077

Less strict code verification in the reset password system

    XMLWordPrintable

Details

    • Improvement
    • Resolution: Fixed
    • Major
    • 13.10.1, 14.0-rc-1
    • 13.8
    • Security
    • None
    • Unit
    • Unknown

    Description

      The reset password form is burning verification codes very aggressively. A simple reload will burn the code and look like an error for users. The implementation notes suggest that this is done to avoid the possibility for brute force attacks. However it seems hard to brute force attack such a verification code which is only created on demand by the user and an alternative method would be to use a timeout for the validity of the code.

      I suggest the following implementation:

      1/ Set a timeout for validity of codes
      2/ Burn the codes only once the process is fully done or the timeout is exceeded

      An additional security measure would be to add the IP address of the user as an additional check but this has side effects which could make it fail (send code from mobile, change password on desktop).

      Attachments

        Issue Links

          Activity

            People

              surli Simon Urli
              ludovic Ludovic Dubost
              Votes:
              0 Vote for this issue
              Watchers:
              1 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved: