On Feb 20, 2006, at 12:27 PM, Erik Hollensbe wrote:
1) User requests password reset
2) 3 unique, random values are generated, a, b, and c, which are
stored local to the webserver
3) A cookie is set on the browser with a+b hashed, with a timeout
4) special url is emailed to the user with a+c hashed used for
confirmation
5) user clicks url
6) a+c is checked, hash of a+b is generated
7) a+b is validated against cookie
8) if we're here, user is allowed to change password.
It's complicated, but IMO we're covering an edge case. However, if
the cookie is delivered flagged secure over SSL, the local machine
(or SSL) pretty much has to be compromised for this to fail.
The user DOES have to use the same browser, respond within the
timeout, and of course be able to get the email for this to work.
Ack, I hadn't had my coffee when I wrote that, here's some
simplification:
'a' doesn't necessarily need to exist, although something which can
pad the length of the hashed content and/or otherwise enforce
uniqueness is important.
The result set on the url of course has to be unique, but the
contents of the cookie need not necessarily be.
Also, sorry if I wasted your guys' time, it seems after I posted this
you guys had decided on an implementation.
--
Erik Hollensbe
[EMAIL PROTECTED]
_______________________________________________
PDXRuby mailing list
[email protected]
IRC: #pdx.rb on irc.freenode.net
http://lists.pdxruby.org/mailman/listinfo/pdxruby
