eliminating temporary passwords / expiring email links about userfrosting HOT 19 CLOSED

I put it in the subject line, but forgot to mention that the link to reset the password should expire after a few hours.

from userfrosting.

I agree. It might also be worth implementing an additional level of identity verification, such as asking them to enter their username, before allowing them to reset their password (after the reset link has been sent; see the flowchart at the bottom of http://www.troyhunt.com/2012/05/everything-you-ever-wanted-to-know.html).

Would you want to take charge on implementing this feature?

from userfrosting.

I can, although it might be several months till I can finish it. So if anyone is really anxious and wants to take it, let me know.

from userfrosting.

Wouldn't it be easier to send the auth code to reset the password and when the user click the link we check too see how long it's been since the auth key was sent if say more then 6 hours or whatever time frame make them re validate and start again?

from userfrosting.

@Soupala thanks! I'm going to be working mainly on the auth system over the next few weeks, so maybe after that would be a good time to implement this feature.
@lilfade yes, we should definitely have an expiration time for the auth keys. But, requiring an extra piece of information would help in the event that the user's email account has been compromised somehow.

from userfrosting.

Maybe some password reset question could be implemented eg. "Whats your favorite color" or "What hospital were you born in" ect. most people won't forget such question as these as easily as there password.

from userfrosting.

Yeah, we could do something like that, although we'd need something difficult for a hacker to glean from peoples' social media accounts. See http://goodsecurityquestions.com/. We need questions that people won't forget, are universally applicable, and cannot be easy deduced from social media.

from userfrosting.

We could also possibly make the questions a feature that admins can configure themselves ;-)

from userfrosting.

Well we could have the user set the question and when the user requests a lost password we could have them choose the question say using radio boxes with 2 other questions if they select the right question and provide the answer as well. We could do this 2 time and have 5 questions from the user this would make it pretty secure I'd say, any ideas?

from userfrosting.

tricky issue. If we leave it to the users to create their own, we can't
trust they'll create good ones. But on the other hand, if we come up with
a list of questions that can't easily be guessed or gleaned from stolen
documents, that would be good.

On Wed, May 7, 2014 at 9:38 AM, Alex Weissman [email protected]:

We could also possibly make the questions a feature that admins can
configure themselves ;-)

—
Reply to this email directly or view it on GitHubhttps://github.com//issues/22#issuecomment-42450947
.

-Mica

Mica Cardillo
soupala.com
@Soupala http://www.twitter.com/Soupala on Twitter
Profile http://www.linkedin.com/pub/mica-cardillo/13/b37/a35 on LinkedIn
541.840.7245

from userfrosting.

I updated the lost password page need to make a few fixes and drop alot of debug code but basically i changed it so there is a configurable time setting (by admin) for passwords to expire. When you get the email it will direct you to the page to change your password rather then send you a password. And to change the password you will also need to varify the username associated with the activation token.

Just need to touch everything up and we can probably close this feature as well.

from userfrosting.

Actually i need to do some work on this still to make sure everything is working before i make a pull but that should happen today sometime ^_^

from userfrosting.

Sweet! I'll be gone for the weekend, if I don't get a chance to look at it before I leave, I'll see it on Monday :-D

from userfrosting.

Thats cool, at the moment its really rough and i still need to fix it up but i finally got the forgot_password.php to load 2 forms and process it with the js depending on what form loaded. It works though just gonna rewrite it a little bit to make it all work a bit better ^_^. yea no rush on this one though im not sure how this weekend will work out for me yet may have time or may not xD

from userfrosting.

Ok this should all work wanna check this out (https://github.com/lilfade/UserFrosting/compare/alexweissman:butterflyknife...master) and let me know what you think of the changes and if you think we need anything else added. I still have to add the new msgs to the lang array but thats about it i think.

from userfrosting.

Nice, looks fantastic. This is getting me to thinking, that rather than keeping all of these seldom-used variables (activation requests, password requests, etc) directly in the user table, we could keep them in a separate table. Then we could keep a sort of history of account events for users, and the user table would be less cluttered.

from userfrosting.

did you just want to use something like this then: ?

or maybe we can do something like

only issue i can see is if we hold all values of a user's request is we might end up having a very long table of data but we could setup a function to clear this table on a set schedule.

from userfrosting.

Hmm, I like the second although we'd need every entry to have a timestamp so we can identify the most recent value. Let's wait on this, it's not critical to pushing butterflyknife. We'll try to gauge what people want for future releases.

from userfrosting.

Implemented in butterflyknife.

from userfrosting.