Details
-
Improvement
-
Resolution: Fixed
-
Major
-
13.8
-
None
Description
The reset password form is burning verification codes very aggressively. A simple reload will burn the code and look like an error for users. The implementation notes suggest that this is done to avoid the possibility for brute force attacks. However it seems hard to brute force attack such a verification code which is only created on demand by the user and an alternative method would be to use a timeout for the validity of the code.
I suggest the following implementation:
1/ Set a timeout for validity of codes
2/ Burn the codes only once the process is fully done or the timeout is exceeded
An additional security measure would be to add the IP address of the user as an additional check but this has side effects which could make it fail (send code from mobile, change password on desktop).
Attachments
Issue Links
- is duplicated by
-
XWIKI-21326 Microsoft "safe links" interfers with password reset feature.
- Closed
- relates to
-
XWIKI-21571 Change default value of the reset password token lifetime
- Closed