Project

General

Profile

Actions

Improvements #10668

open

change password token invalidation policy: too strict?

Added by Wim Dumon about 2 years ago.

Status:
New
Priority:
Normal
Assignee:
-
Target version:
-
Start date:
07/15/2022
Due date:
% Done:

0%

Estimated time:

Description

A password token is invalidated immediately its link is accessed, even if the password was not changed. We got a user complaint that the password link always was reported to be invalid.

The logs show that the link was accessed multiple times from multiple IP addresses. Possibly these are intermediate email gateways checking included links for malware.

Would it be acceptable to invalidate password change links only after they were successfully used to change the password?

No data to display

Actions

Also available in: Atom PDF