gnuherds-app-dev
[Top][All Lists]
Advanced

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Hide email validation in "Lost password" page? -- Security bug


From: Davi Leal
Subject: Re: Hide email validation in "Lost password" page? -- Security bug
Date: Thu, 19 Apr 2007 10:17:49 +0200 (CEST)

Victor Engmark wrote:
> Davi Leal wrote:

> I'd still argue that the "lost password" page is the least useful place the
> user can be after submitting a request. Since we don't have a separate
> loginpage, the front page is probably the most useful at that moment.

We can not redirect because the "lost password" page, after processing the
user request, shows the  "You will ..."  message to the user.

The user have to stay at that page to be able to read that message.


> > OK, now I agree with you.  So we will have to add a new field at the
> > E1_Entities table to save the last lost-password time stamp, for example:
> >
> >      E1_AbuseLastTime
> >
> > We could use that field to, to combat abuse at the login box. Do you
> > agree? Do you have a better field name?
>
> Why "E1_"? Anyway, I'd call it LastPasswordRetrieval or just
> PasswordRetrieval (less clear). Separates the information from the
> function(s), which could be several.

We use a prefix around all the data base implementation. Each field has its
prefix to make it easier to know with which table are we working.  Take
a look at the source code of Layer-5; At a query which process fields of
several tables, it is very easy know what table each field belong to.


About the field name, I propose a new one:

        E1_LastAbuseTime   timestamp,

We will be able to use that field to both the "lost password" page and the
login pages. It can be used to register the last time an operation of
login or lost password has been requested for a user.  What do you think?

Davi




reply via email to

[Prev in Thread] Current Thread [Next in Thread]