I'm currently running 1.9.3 and have not had much of a chance lately to do any coding, so I thought I would throw it my thoughts here for some input.

The Lost Password functionality currently requires that a person enter a valid forum username and the system will generate a new password and email that password to the email address that matches the username.

The problem that I am having is that anybody can reset the password for any forum user. This only requires that they copy a forum username and enter it into the Lost Password box.

On more than one occasion I have had this feature abused. There really is no harm, but when a user gets a password reset email and they didn't initiate the process, they feel a little violated.

Is there a way to email the user with a link to click on that will reset the password?

This would eliminate the anonymous password resetter bandit from the forums.

Are there any other suggestions on how to eliminate this?

Thanks for all of your work on this. I'm looking forward to testing 1.9.4.

Users browsing this topic

    About Us

    The YAF.NET is an open source .NET forum project. YAF.NET is supported by an team of international developers who are build community by building community software.

    Powered by Resharper Donate with PayPal button

    Project Twitter Updates

    Copyright © YetAnotherForum.NET & Ingo Herbote. All rights reserved