#4708 - Overhaul to lost password support
-
By Chris Graham
- Added
- 6 views
| Identifier | #4708 |
|---|---|
| Issue type | Feature request or suggestion |
| Title | Overhaul to lost password support |
| Status | Open |
| Tags |
Has Patch (custom) Roadmap: Over the horizon (custom) Type: Security (custom) |
| Handling member | Deleted |
| Addon | core_cns |
| Description | The lost password support is rather over-complex. Provide better messaging. Clean up the code with better comments.
Remove the temporary password option, and the option to have a new password e-mailed, and instead always just assign a randomised password, create a logged in session for them, and take them to edit their account to set a new password. There's no need to make this stuff configurable, just to have a sensible flow that covers all the bases and is maximally secure and user-friendly (there's no trade off necessary in this case). Allow configuration for whether admins may reset their own passwords. Currently it is hard-coded that they cannot. Allow configuration for where to redirect the user after they successfully reset their password. Allow configuration of expiry of a password reset token. For security, if someone's email account is harvested at a much later date. Remove the "ultra security" mode, as the above changes mean it isn't really adding anything anymore. Members may not complete the lost password process. Add a notification to the staff for when it is not completed, so they can manually follow up if desired. |
| Steps to reproduce | |
| Funded? | No |
The system will post a comment when this issue is modified (e.g., status changes). To be notified of this, click "Enable comment notifications".
Comments