Hi all, Currently password reset is done without any confirmation, so all you have to do is know someone's email and a Django site that they use (assuming it uses the default password reset code) and you can change their password. In this way, you only have to make about 1 request/minute to completely block someone from accessing their account.
(Related tickets: http://code.djangoproject.com/ticket/4235 http://code.djangoproject.com/ticket/5272 ) I propose to change to a solution that requires clicking a link in an email, with the link containing the username, the new password, a timestamp and a hash to stop tampering. This link is handled by a new view which does the resetting, and gives a limited period for the reset, so that someone who sniffs the URL cannot keep resetting the password. As I understand it, with SSL both GET and POST parameters in a request are invisible to sniffers, so if SSL is enabled this would become a secure solution (without SSL, GET and POST etc are of course completely visible to sniffers, so you can't design a system that is properly secure without SSL). This would be a backwards incompatible change -- if you have provided your own templates for the password reset views then they will need fixing. It doesn't make sense to do it to trunk, since the password reset view has already changed in newforms-admin, so this should probably wait for the nfa merge. I've actually already implemented the above system for my own site, complete with tests. Testing is still problematic for views in contrib, but that should be fixed shortly. What do people think? Did I miss any problems? Luke -- "If your parents never had children, the chances are you won't either." Luke Plant || http://lukeplant.me.uk/ --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "Django developers" group. To post to this group, send email to django-developers@googlegroups.com To unsubscribe from this group, send email to [EMAIL PROTECTED] For more options, visit this group at http://groups.google.com/group/django-developers?hl=en -~----------~----~----~----~------~----~------~--~---
