It sounds like what you are advocating is changing the password reset to work similar to the way activation works in James Bennett's django- registration, is that correct?
On Jun 27, 4:01 pm, Luke Plant <[EMAIL PROTECTED]> wrote: > Hi all, > > Currently password reset is done without any confirmation, so all you > have to do is know someone's email and a Django site that they use > (assuming it uses the default password reset code) and you can change > their password. In this way, you only have to make about 1 > request/minute to completely block someone from accessing their > account. > > (Related tickets: > http://code.djangoproject.com/ticket/4235 > http://code.djangoproject.com/ticket/5272) > > I propose to change to a solution that requires clicking a link in an > email, with the link containing the username, the new password, a > timestamp and a hash to stop tampering. This link is handled by a > new view which does the resetting, and gives a limited period for the > reset, so that someone who sniffs the URL cannot keep resetting the > password. > > As I understand it, with SSL both GET and POST parameters in a request > are invisible to sniffers, so if SSL is enabled this would become a > secure solution (without SSL, GET and POST etc are of course > completely visible to sniffers, so you can't design a system that is > properly secure without SSL). > > This would be a backwards incompatible change -- if you have provided > your own templates for the password reset views then they will need > fixing. It doesn't make sense to do it to trunk, since the password > reset view has already changed in newforms-admin, so this should > probably wait for the nfa merge. > > I've actually already implemented the above system for my own site, > complete with tests. Testing is still problematic for views in > contrib, but that should be fixed shortly. > > What do people think? Did I miss any problems? > > Luke > > -- > "If your parents never had children, the chances are you won't > either." > > Luke Plant ||http://lukeplant.me.uk/ --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "Django developers" group. To post to this group, send email to django-developers@googlegroups.com To unsubscribe from this group, send email to [EMAIL PROTECTED] For more options, visit this group at http://groups.google.com/group/django-developers?hl=en -~----------~----~----~----~------~----~------~--~---
