forgot password issue - Page 2 forgot password issue - Page 2
 

News:

cpg1.5.48 Security release - upgrade mandatory!
The Coppermine development team is releasing a security update for Coppermine in order to counter a recently discovered vulnerability. It is important that all users who run version cpg1.5.46 or older update to this latest version as soon as possible.
[more]

Main Menu

forgot password issue

Started by Nibbler, March 04, 2005, 02:36:32 PM

Previous topic - Next topic

0 Members and 1 Guest are viewing this topic.

donnoman

The way to stop the brute force truely is to use the same technique that we do logins, x many attempts in y amount of time = lockout of z minutes.

Whether its a password change, or a password reset request.

omniscientdeveloper



I'd prefer if you use the make_password method to create a special hash, one not related to anything already stored. Tie this with the requester's session, so it'll die after a time or if they remember and login. With that, all you'll need to pass is the user's email address or user_id in the url, which the requester should already know, since it could be easy to find. With this, I wouldn't worry about any brute force attempts, since it wouldn't work without the correct special hash and access to the user's email.

Joachim Müller

can this still be implemented for cpg1.4.x (and if yes, who will do so?), or should we mark the entire thread as "known issue" and schedule it for cpg1.5?

Joachim

omniscientdeveloper

I've already done this also. I can't commit until Saturday, because I am away.

Joachim Müller

OK, good to hear that.

Joachim

Joachim Müller


Joachim Müller

[moderation]
bumping this unresolved thread to the top...

Joachim Müller

sent an email to Chris, asking him if he still has the proposed fix.

omniscientdeveloper

I posted a fix in the dev board.

omniscientdeveloper