Reset password tokens: user errors lead to confusion (multiple reset password requests)

Description

Allow looking up of old reset password tokens from the version table (if it hasn't been disabled). If the token in the link clicked is no longer valid but exists in version table then either:

1. Display a specific message such as: "Your reset password link has expired because a new one was generated at x:x:x time", or "Your reset password link is no longer valid as you successfully set your password at x:x:x time".
2. If the old token has not expired, allow it to be used to validate the user

Allow users to configure whether this feature is used at all and which of the above two options should be used.

Activity

Show:
Seak Chiew Lee
April 9, 2020, 5:25 AM

Possible to add restriction of multiple retry cool down timer so that when user resets token for the first time and accidentally trigger the reset token in the next 5 minutes, an error will be displayed instead of issuing new token?

Johnson Cheng
May 7, 2020, 12:30 PM
Edited

Hi , Could you help to review the changes please?

Dominic Watson
July 27, 2020, 10:39 AM

Thanks . This was reworked and fix available in upcoming 10.12.0 release.

Assignee

Dominic Watson

Reporter

Dominic Watson

Labels

None

Accepted

Yes

Fix versions

Priority

Medium
Configure