Details
-
Suggestion
-
Resolution: Fixed
-
None
-
standalone, JDK1.5.0, Solaris 10
Description
The "Forgot password" function invents a new password and sends it by email.
This invites to misuse as guessing the userid already allows to annoy or even lock-out the legitimate account owner. (The user may currently not have access to his email account or the mail could be killed by a spam filter.)
Possible solutions could be that the old password remains valid until changed by the user himself, or a new password is only generated when the user acknowleges having received the email.
Attachments
Issue Links
- relates to
-
CONFSERVER-18971 forgotmypassword email and forgotmypassword-success.vm links should go to password changemypassword page.
- Closed