[Top][All Lists]
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: Hide email validation in "Lost password" page? -- Security bug
From: |
Davi Leal |
Subject: |
Re: Hide email validation in "Lost password" page? -- Security bug |
Date: |
Wed, 18 Apr 2007 18:24:00 +0200 (CEST) |
Victor Engmark wrote:
> Davi Leal wrote:
> > Victor Engmark wrote:
> > > For users to be able to detect their error after the fact, we could
> > > let the email stay in the field after submission.
> >
> > Good point.
>
> Actually, it would probably be even better to redirect the user to the front
> / login page, since that's where they would logically be going afterwards.
> We could display a prominent message to confirm that we did something.
> Modified the task accordingly.
When the user goes to the Lost password page, what he/she wants to do is
be able to log in.
After we process his/her lost-password-request, and show the prominent
message "You should receive an email with ...", he/she is ready to use
the omnipresent :) login box, under the menu, to log in.
So I think there is not need to do a redirect.
> > > To stop pranksters and accidental double-clicks from annoying users,
> > > we could also add a restriction that no email will be sent if an
> > > email was sent to the same address less than X seconds / minutes
> > > before. We should probably change the message to reflect that, to
> > > avoid even a white lie (ref. "your email will arrive shortly").
> >
> > This extra addition requires we create a new field at the E1_Entities
> > table to save the last lost-password-request time stamp. But with the
> > current data base model, we can only do it for the emails (entities) which
> > are already registered. So the spammers could note what email exists doing
> > several quick requests.
>
> No, because we won't tell them whether an email was actually sent or not.
> I'm thinking about having something like the following as the message for
> the user:
> You should receive an email with your (new?) password shortly. For security
> and privacy reasons, we'll only send to addresses registered at GNU Herds,
> and maximum once per X minutes.
OK, now I agree with you. So we will have to add a new field at the
E1_Entities table to save the last lost-password time stamp, for example:
E1_AbuseLastTime
We could use that field to, to combat abuse at the login box. Do you
agree? Do you have a better field name?
-- Account identification
E1_Email varchar(60) UNIQUE CHECK (E1_Email <> ''), ...
E1_Password varchar(512) NOT NULL CHECK (E1_Password ...
E1_Magic varchar(512) CHECK (E1_Magic <> ''), ...
E1_Revoked bool NOT NULL DEFAULT 'false',
E1_EntityType varchar(23) NOT NULL CHECK ...
-- Saved configuration, etc.
E1_Locale char(5) NOT NULL CHECK (E1_Locale <> ...
E1_AbuseLastTime timestamp NOT NULL DEFAULT now,
Re: Hide email validation in "Lost password" page? -- Security bug, Victor Engmark, 2007/04/18
- Re: Hide email validation in "Lost password" page? -- Security bug,
Davi Leal <=
- Re: Hide email validation in "Lost password" page? -- Security bug, Victor Engmark, 2007/04/19
- Re: Hide email validation in "Lost password" page? -- Security bug, Davi Leal, 2007/04/19
- Re: Hide email validation in "Lost password" page? -- Security bug, Victor Engmark, 2007/04/19
- Re: Hide email validation in "Lost password" page? -- Security bug, Davi Leal, 2007/04/19
- Re: Hide email validation in "Lost password" page? -- Security bug, Victor Engmark, 2007/04/19
- Re: new timestamp data base field for: Lost_Password.php, Person.php, Company.php & non-profit_Organization.php, Davi Leal, 2007/04/19
- Re: new timestamp data base field for: Lost_Password.php, Person.php, Company.php & non-profit_Organization.php, Victor Engmark, 2007/04/19
- Re: Security bug at Lost_Password.php and Person.php, Company.php & non-profit_Organization.php registration forms, Davi Leal, 2007/04/19
- Re: Security bug at Lost_Password.php and Person.php, Company.php & non-profit_Organization.php registration forms, Victor Engmark, 2007/04/20
- Re: Security bug at Lost_Password.php and Person.php, Company.php & non-profit_Organization.php registration forms, Davi Leal, 2007/04/20