Hi jacques, I wanted to know how "email password" works ad if ofbiz already prevents this DOS attack. Regards Angelo.
jacques.le.roux wrote: > > Hi Mike , > > Yes, sure, feel free to open a Jira (the description below should be > sufficient, of course a patch highly appreciated) > > Thanks > > JAcques > > From: "Mike Rose" <[email protected]> >> Jacques, >> >> I think that Angelo is alluding to is that the current method >> allows a malicious prankster to create something of a denial of >> service attack against a registered user. It wouldn't be very >> difficult to script a 'bot that constantly resets a user's password. >> A more secure method would work along the following lines: >> >> 1. Users enters username on the forgotPassword page and submits the >> form. >> >> 2. System emails a "reset password" link to the user's email. >> Link should contain a serialized request id. >> Serialized request id should be implemented such a manner that it >> can only be requested a limited number of times within a fairly short >> time period (say, 3 times within 30 mins of submitting the >> forgotPassword form). >> >> 3. User retrieves the email and clicks on the "reset password link". >> >> 4. Users arrives at the "reset password" form within OFBiz and is >> asked to reset password. They may also be challenged to answer a >> security question (which adds some additional security in case the >> email account has been compromised). >> If the "reset password link" has been clicked too many times within >> the expiration period (indicates a possible hacking attempt), clicked >> beyond the expiration timestamp (link is stale) or has already been >> used to successfully reset the account password, the system should >> present the user with an error message. >> >> Mike >> >> >> On Oct 9, 2009, at 5:51 PM, Jacques Le Roux wrote: >> >>> Yes, in *your* mailx box. Is this a problem for you ? >>> You can't prevent that if you want to give some flexibility. >>> "You can't have the cake and eat it" ;o) >>> >>> Jacques >>> >>> From: "Angelo Matarazzo" <[email protected]> >>>> I suppose that in security.properties password.encrypt=true >>>> and my username is "matarazzoa" >>>> I suppose that an ofbiz user knows my username and in this screen >>>> https://demo904.ofbiz.org/ordermgr/control/forgotPassword >>>> put my username matarazzoa and click "email password". >>>> Ofbiz system will change my password in userLogin entity and will >>>> send this >>>> new password to my email address >>>> Has another user changed my password???? >>>> Am I right? >>>> Thank you. >>>> -- >>>> View this message in context: >>>> http://www.nabble.com/forgot-password-and-email-password-tp25824734p25824734.html >>>> Sent from the OFBiz - User mailing list archive at Nabble.com. >>>> >>> >> > > > -- View this message in context: http://www.nabble.com/forgot-password-and-email-password-tp25824734p25846328.html Sent from the OFBiz - User mailing list archive at Nabble.com.
