Feature #48364

Remove password from fe_user after click on forgot_password link

Added by Joerg Schoppet over 6 years ago. Updated over 6 years ago.

Status:
Rejected
Priority:
Could have
Assignee:
-
Category:
felogin
Target version:
-
Start date:
2013-05-17
Due date:
% Done:

0%

PHP Version:
5.3
Tags:
Complexity:
medium
Sprint Focus:

Description

Hi,

currently if I use the "Forgot Password" feature of felogin the existing password still allows for re-login. For security-reason it would be meaningfull to remove the password from the user (or set a random string) as soon as the email was sent, so that the user has to create a new one.

An additional setting in TS (clearPasswordAfterForgot), which defaults to 0 (do not clear the password field) would ease the configuration and keep BC.

Place would be in "FrontendLoginController.php" -> showForgot() after line 249.

Regards

joerg

History

#1 Updated by Philipp Gampe over 6 years ago

  • Status changed from New to Needs Feedback
  • TYPO3 Version changed from 6.1 to 6.2
  • Complexity changed from easy to medium

IMHO this is the wrong approach. That way you can DOS all user of which you know the email address.

Forgetting a password is not a security risk and there is no reason to remove the password if the reset password process is started.
Actually I expect the password to stay the same until I confirmed the email by changing my password.

#2 Updated by Joerg Schoppet over 6 years ago

I get your point. That's the reason I wanted to have it only an option which defaults to "no reset".

Additionally, I know that this isn't something used/requested very often, but at least I had this requirement in the past.

#3 Updated by Jigal van Hemert over 6 years ago

  • Status changed from Needs Feedback to Rejected

As Philipp pointed out such a setting can easily lead to problems when people start to guess usernames or email addresses and block access to these accounts by removing their passwords.

If you need to implement this for a project you can use the hook $GLOBALS['TYPO3_CONF_VARS']['EXTCONF']['felogin']['forgotPasswordMail'] which is called inside generateAndSendHash() (the function which sends the mail with the link). You also get the user record in this hook, so your hook subscriber can execute a query to unset the password for that user.

Also available in: Atom PDF