I would like to make an evolution in the management of the request of
password loss.
At present the stages are the following ones:
1 - Request of loss of password (by the user)
2 - Change of password by a temporary one (by the system)
3 - Send of an e-mail with a link to define a new password (by the
system)
4 - Set the new password (by the user)
5 - Recording of the new password (by the system)
This workflow is problematic because the change of password is made as
soon as the person confirms the change of password (stage 2). It is
possible that the person who makes the change of password is not the
person associated with the account.
Here is a proposal of modification of the workflow
1 - Request of loss of password (by the user)
2 - Recording of a request of lost of password associated with the
login (by the system)
3 - Send of an e-mail to confirm the request of change of password
with a link containing the reference of the request to change of
password (by the system)
4 - Connection of the user to the form to change the password and
seized with a new password (by the user)
5 - Check that the login and the request are associated
6 - Recording of the new password (by the system)
What do you think about this change?
Pierre
--
logoNrd <http://nereide.fr/>
Pierre GAUDIN
Consultant Fonctionnel Apache-OFBiz, ERP en logiciel Libre
[email protected]
8 rue des Déportés 37000 TOURS
Std: 02 47 50 30 54 - mob: 06 08 40 25 70
réseau LE <http://www.libre-entreprise.org/>
