incubator-jspwiki-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Stefan Bohn (JIRA)" <j...@apache.org>
Subject [jira] Commented: (JSPWIKI-159) Getting an new password is only possible for one user per mail address
Date Thu, 25 Nov 2010 07:20:13 GMT

    [ https://issues.apache.org/jira/browse/JSPWIKI-159?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12935661#action_12935661
] 

Stefan Bohn commented on JSPWIKI-159:
-------------------------------------

Janne
"Allowing login credentials for password recovery is a problem, since that means that you
could be subjected to a denial-of-service attack. Say, have a bot reset your password every
few minutes."

Like other sites, we could first send an email with a (temporary?) link to confirm the change
request. Then the user has to follow the link to change the password.



> Getting an new password is only possible for one user per mail address
> ----------------------------------------------------------------------
>
>                 Key: JSPWIKI-159
>                 URL: https://issues.apache.org/jira/browse/JSPWIKI-159
>             Project: JSPWiki
>          Issue Type: Bug
>          Components: Authentication&Authorization
>            Reporter: Florian Holeczek
>
> If there's more than one user with a given email address, it's only possible for one
of these users to get a new password via email.

-- 
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.


Mime
View raw message