| Project: | ProjectPier |
| Component: | Code |
| Category: | feature request |
| Priority: | normal |
| Assigned: | Unassigned |
| Status: | new |
Jump to:
Description
Hello,
The current password reset procedure is a bit too quick in my opinon. If you know the email address of any user in the system you can reset his password.
What you see in many user management system is something like this :
- User asks for the password reset
- User receives a mail with a link to confirm he really asked for this reset (so we know he own the email address, thus the account related to that address)
- If he clicks the link, the password is reset and is sent either though mail or displayed on the confirmation page.
So the users account are never reset without them knowing it.
On the same topic, when a user try to modify his password, the least security would be to ask his current password before accepting the change. That is almost required since it is possible to login with a cookie (Remember me for the next 14 days).
Those are two minor issues since the system is rarely a public website, but I think it wouldn't be such a bad idea to implement them. What do you think about it ?