Password recovery is vulnerable to re-use of reset links

A password reset link is supposed to work only for one hour. This timer gets reset though with subsequent password reset requests. user.setLastChange(new Date()); would basically activate not only the current but all past request links.

Update: apparently this is no issue as the new request would also update the secret required to be known by the attacker.

Status

Issue is closed.

Comments

Post a comment



optional
optional