-
Notifications
You must be signed in to change notification settings - Fork 2.1k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
lost password hash expire #21466
Labels
Comments
Oh sorry! I'm still using 8.1.x and searched for an issue before I created this. |
This thread has been automatically locked since there has not been any recent activity after it was closed. Please open a new issue for related bugs. |
Sign up for free
to subscribe to this conversation on GitHub.
Already have an account?
Sign in.
If a user clicks on "lost password", the hash is stored until he changes it. But if the user remembers his old password, the password hash is valid until his next click on "lost password".
In my case there are about 100 users and the system is running for about a year and there are 10 lostpassword hashes.
If the reset mail with the link is sent unencrypted via smtp, maybe there is an mailadmin that knows the link too.
It would be useful if there is a timestamp generated and stored in oc_preferences as lostpasswordtime. So it would be possible to create an job that cleans up all hashs that are older as x hours (value from config.php).
The text was updated successfully, but these errors were encountered: