So, how should the keys be generated? Should I add in a random salt like the django-email-confirmation app does?
Also, should the temp_key field on the PasswordReset model force uniqueness? On Oct 27, 12:17 am, Brian Rosner <[email protected]> wrote: > On Oct 27, 2009, at 12:33 AM, Nick Retallack wrote: > > > > >> It looks like these issues are direct result of the fact it is > >> possible to create multiple password resets keys for the same e-mail > >> address. Though I think we should additionally add the reset=False on > >> save to allow the database to serve as record of password resets. > > > Technically it's because there are multiple identical reset keys, > > caused by hashing the same data. The fact that multiple emails are > > sent out doesn't seem like such a problem. But the fact that they're > > supposed to contain different keys, yet in fact contain the same ones, > > is problematic. > > Which as I've said in my first e-mail responding to the original > message is something I want to see solved. > > > Also, is there any reason why it keeps the old resets around and just > > sets reset=True? Of what use is this information? Auditing? And > > what should happen if there are two valid password reset keys out > > there and you use one? I think the other one should be deleted, at > > least. I mean, that's a nasty security hole to leave open if you > > don't. > > Yes, auditing is handy. However, you bring up a valid point. We should > definitely delete them. It'd actually be better of us to also generate > unique hashes per request. Unfortunately, now doing multiple > successful password resets is problematic. Though a separate issue > from invalidation. > > Brian Rosnerhttp://oebfare.comhttp://twitter.com/brosner --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "Pinax Core Development" group. To post to this group, send email to [email protected] To unsubscribe from this group, send email to [email protected] For more options, visit this group at http://groups.google.com/group/pinax-core-dev?hl=en -~----------~----~----~----~------~----~------~--~---
