Actions
Improvements #10668
openchange password token invalidation policy: too strict?
Status:
New
Priority:
Normal
Assignee:
-
Target version:
-
Start date:
07/15/2022
Due date:
% Done:
0%
Estimated time:
Description
A password token is invalidated immediately its link is accessed, even if the password was not changed. We got a user complaint that the password link always was reported to be invalid.
The logs show that the link was accessed multiple times from multiple IP addresses. Possibly these are intermediate email gateways checking included links for malware.
Would it be acceptable to invalidate password change links only after they were successfully used to change the password?
No data to display
Actions