Welcome, Guest
Username: Password: Remember me

TOPIC: Security Alert

Security Alert 4 months 1 week ago #65339

  • deedubbleyoo
  • deedubbleyoo's Avatar
  • Offline
  • FTH Newbie Poster
  • Posts: 12
  • Thank you received: 3
  • Karma: 0
The password reset email that users can request contains a link to change the user's password. When the link is used the user is logged in and they can change their password, however, the link does not expire, so it can be used in the future, by anyone to log in as that user. The password dialog box can be closed at this point without changing the password and the website used as that user. This is a major security flaw.
The administrator has disabled public write access.

Security Alert 4 months 1 week ago #65342

  • SteveTheTechie
  • SteveTheTechie's Avatar
  • Online
  • FreeToastHost Developer
  • Posts: 9359
  • Thank you received: 2330
  • Karma: 120
Session keys are expired via the cookies they are stored in on the user's computer. However, you are correct that if the session key is transmitted via a link instead of cookie then there is nothing to expire it.

I have been thinking for a while that we should save expiry info for session keys in our db.

I will take a look at this in a few weeks and see if I can make the code start putting the expiry info in the db w/ the session keys.
Steve James, DTM
FreeToastHost 2 Lead System Developer B)
District 52 Pathways Chief Ambassador / Guide
Officer Emeritus
Mindful Communicators - Club 1966, Presidents Distinguished Since 2008

CLICK HERE to edit your "signature" for forum messages (at the bottom of the "Profile Information" tab). Please include your club # there.

Digital Tip Jar (optional) :thumbsup:
The administrator has disabled public write access.
Moderators: SteveTheTechie, GeorgeMarshall, Pam
Time to create page: 0.088 seconds
Powered by Kunena Forum