different password reset process

Wes James

unread,

Nov 25, 2009, 12:14:39 AM11/25/09

to web2py Web Framework

Massimo,

I've been working on an app that has this type of password reset:

1. click on password reset
2. user types in email address
3. the user gets an email that has a link that takes them back to the
web2py site
4. a new password is typed in and this resets the password.

This allows for a more secure password reset. Would you like this
code to use for password reset in w2p?

thx,

-wes

Jonathan Lundell

unread,

Nov 25, 2009, 1:30:13 AM11/25/09

to web...@googlegroups.com

What happens when a bad guy tries it?

mdipierro

unread,

Nov 25, 2009, 9:37:01 AM11/25/09

to web2py-users

yes, please. Can you send it as a patch to tools?

Wes James

unread,

Nov 25, 2009, 9:41:03 AM11/25/09

to web...@googlegroups.com

If a random person puts in an email address, the email must exist in
the system otherwise they will get a meessage "unable to send email".
If the hacker puts in a valid email, then the person with that email
will get the reset message, but since the person did not initiate the
password reset they know someone is tinkering.

make sense?

-wes

Wes James

unread,

Nov 25, 2009, 9:45:38 AM11/25/09

to web...@googlegroups.com

I will test with putting the code in tools.py and learn how to send a patch ;)

thx,

-wes

mdipierro

unread,

Nov 25, 2009, 9:46:59 AM11/25/09

to web2py-users

You just send me a new toos.py (I can do the merge).

On Nov 25, 8:45 am, Wes James <compte...@gmail.com> wrote:
> I will test with putting the code in tools.py and learn how to send a patch ;)
>
> thx,
>
> -wes
>

Reply all

Reply to author

Forward