Welcome, Guest
Username: Password: Remember me
Forgot your password? Forgot your username? Create an account
Forum
General Discussion
Public Forums
General Discussion
Security Alert
×

~~~~~~~~~~~~ IMPORTANT INFORMATION -- Please read! ~~~~~~~~~~~~

1. The "search..." box above searches the Docs & Forum Posts. The "Search" tab above just searches the Forum Posts. :side:
Please use these to search for your issue *before* creating a new message topic, as your issue may have been previously solved.
2. Please put your Club # and Club Web Address in your Forum Signature (best) OR in each post to get faster support from us.
Click here to edit your signature at the bottom of the Profile Information tab.
3. Our user and admin docs are available at: support.toastmastersclubs.org/doc "There's a doc for that!" ;)
4. There is an "Opt In" Feature for newly added members. The Opt In document explains the strikethrough member information. Click Here to View the Post
5. When posting a New Topic , please include all relevant details and be specific. When did your issue 1st occur? What operating system, browser, & browser version are you using? Did you refresh your browser cache? Are your cookies enabled? Lastly, a screen shot is often helpful.
6. Please abide by the Terms of Use . We are volunteers contributing our spare time. We are happy to assist you, so long as you are respectful and courteous.
7. We are always looking for new FreeToastHost Ambassadors to join our team and support fellow Toastmasters in their use of the FreeToastHost website system. If you are familiar with the system and have some interest, send a Send Us a Private Message.
  • Page:
  • 1

TOPIC:

Security Alert 6 years 7 months ago #65339

  • deedubbleyoo
  • deedubbleyoo's Avatar Topic Author
  • Offline
  • FreeToastHost Ambassador
  • FreeToastHost Ambassador
  • Posts: 69
  • Thank you received: 6
The password reset email that users can request contains a link to change the user's password. When the link is used the user is logged in and they can change their password, however, the link does not expire, so it can be used in the future, by anyone to log in as that user. The password dialog box can be closed at this point without changing the password and the website used as that user. This is a major security flaw.
The topic has been locked.

Security Alert 6 years 7 months ago #65342

  • SteveTheTechie
  • SteveTheTechie's Avatar
  • Offline
  • FreeToastHost Developer
  • FreeToastHost Developer
  • Posts: 13529
  • Thank you received: 3831
Session keys are expired via the cookies they are stored in on the user's computer. However, you are correct that if the session key is transmitted via a link instead of cookie then there is nothing to expire it.

I have been thinking for a while that we should save expiry info for session keys in our db.

I will take a look at this in a few weeks and see if I can make the code start putting the expiry info in the db w/ the session keys.
Regards,

Steve James, DTM
FreeToastHost System Developer
Officer Emeritus, Mindful Communicators (Club 1966, District 52) A President's Distinguished Club for each of the last 10 years.

>>> Please put your club number in your forum profile. CLICK here to edit your profile.
The topic has been locked.
  • Page:
  • 1
Moderators: Pamrhtaylor3jliumarc33NotLiabledeedubbleyooNSBPhyllis Kirouac
Forum
General Discussion
Public Forums
General Discussion
Security Alert
Time to create page: 0.031 seconds
Powered by Kunena Forum