Uploaded image for project: 'XWiki Platform'
  1. XWiki Platform
  2. XWIKI-19077

Less strict code verification in the reset password system

    XMLWordPrintable

Details

    • Improvement
    • Resolution: Fixed
    • Major
    • 13.10.1, 14.0-rc-1
    • 13.8
    • Security
    • None
    • Unit
    • Unknown

    Description

      The reset password form is burning verification codes very aggressively. A simple reload will burn the code and look like an error for users. The implementation notes suggest that this is done to avoid the possibility for brute force attacks. However it seems hard to brute force attack such a verification code which is only created on demand by the user and an alternative method would be to use a timeout for the validity of the code.

      I suggest the following implementation:

      1/ Set a timeout for validity of codes
      2/ Burn the codes only once the process is fully done or the timeout is exceeded

      An additional security measure would be to add the IP address of the user as an additional check but this has side effects which could make it fail (send code from mobile, change password on desktop).

      Attachments

        Activity

          People

            surli Simon Urli
            ludovic Ludovic Dubost
            Votes:
            0 Vote for this issue
            Watchers:
            1 Start watching this issue

            Dates

              Created:
              Updated:
              Resolved: