- Forums
- Support and Presales
- Professional Members Support
- send password reset token in password recovery email
send password reset token in password recovery email
- pdolezel
- OFFLINE
-
Junior Member
- Posts: 21
- Thanks: 2
- Karma: 0
4 years 2 weeks ago - 4 years 2 weeks ago #317384
by pdolezel
[SOLVED] send password reset token in password recovery email was created by pdolezel
Hello,
I've searched high and low, and didn't see an existing solution (sorry if I've missed it).
The password reset email sends both the username and password, which is a huge no-no from security perspective.
Is there a way to send a password reset token/link (similar to Joomla's native password reset) instead?
This is a question of not only security, but also usability. The machine-generated password is of no value to the users as the vast majority of them will want to reset it to something different than the machine-generated one. So why not simply take them to the password reset page right away rather than forcing them to log in, then actually look where they can change their password.
Any way to achieve this please?
Thanks a ton
I've searched high and low, and didn't see an existing solution (sorry if I've missed it).
The password reset email sends both the username and password, which is a huge no-no from security perspective.
Is there a way to send a password reset token/link (similar to Joomla's native password reset) instead?
This is a question of not only security, but also usability. The machine-generated password is of no value to the users as the vast majority of them will want to reset it to something different than the machine-generated one. So why not simply take them to the password reset page right away rather than forcing them to log in, then actually look where they can change their password.
Any way to achieve this please?
Thanks a ton
Last edit: 4 years 2 weeks ago by nant. Reason: Added [SOLVED] tag to subject
Please Log in to join the conversation.
krileon
Team Member- OFFLINE
- Posts: 68482
- Thanks: 9075
- Karma: 1434
4 years 2 weeks ago #317403
by krileon
Kyle (Krileon)
Community Builder Team Member
Before posting on forums: Read FAQ thoroughly + Read our Documentation + Search the forums
CB links: Documentation - Localization - CB Quickstart - CB Paid Subscriptions - Add-Ons - Forge
--
If you are a Professional, Developer, or CB Paid Subscriptions subscriber and have a support issue please always post in your respective support forums for best results!
--
If I've missed your support post with a delay of 3 days or greater and are a Professional, Developer, or CBSubs subscriber please send me a private message with your thread and will reply when possible!
--
Please note I am available Monday - Friday from 8:00 AM CST to 4:00 PM CST. I am away on weekends (Saturday and Sunday) and if I've missed your post on or before a weekend after business hours please wait for the next following business day (Monday) and will get to your issue as soon as possible, thank you.
--
My role here is to provide guidance and assistance. I cannot provide custom code for each custom requirement. Please do not inquire me about custom development.
Replied by krileon on topic send password reset token in password recovery email
We're aware, but it requires a rewrite of forgot login so it has not been done yet. The password sent is randomly generated however so there's no issues regarding plaintext storage at the very least. The user is expected to change their password.The password reset email sends both the username and password, which is a huge no-no from security perspective.
No, not until we've redesigned the forgot login behavior.Is there a way to send a password reset token/link (similar to Joomla's native password reset) instead?
Kyle (Krileon)
Community Builder Team Member
Before posting on forums: Read FAQ thoroughly + Read our Documentation + Search the forums
CB links: Documentation - Localization - CB Quickstart - CB Paid Subscriptions - Add-Ons - Forge
--
If you are a Professional, Developer, or CB Paid Subscriptions subscriber and have a support issue please always post in your respective support forums for best results!
--
If I've missed your support post with a delay of 3 days or greater and are a Professional, Developer, or CBSubs subscriber please send me a private message with your thread and will reply when possible!
--
Please note I am available Monday - Friday from 8:00 AM CST to 4:00 PM CST. I am away on weekends (Saturday and Sunday) and if I've missed your post on or before a weekend after business hours please wait for the next following business day (Monday) and will get to your issue as soon as possible, thank you.
--
My role here is to provide guidance and assistance. I cannot provide custom code for each custom requirement. Please do not inquire me about custom development.
Please Log in to join the conversation.
- pdolezel
- OFFLINE
-
Junior Member
- Posts: 21
- Thanks: 2
- Karma: 0
4 years 2 weeks ago #317424
by pdolezel
Replied by pdolezel on topic send password reset token in password recovery email
Thanks, @krileon, is there a timing on this change? Best
Please Log in to join the conversation.
- krileon
- Team Member
- OFFLINE
- Posts: 68482
- Thanks: 9075
- Karma: 1434
4 years 2 weeks ago #317427
by krileon
Kyle (Krileon)
Community Builder Team Member
Before posting on forums: Read FAQ thoroughly + Read our Documentation + Search the forums
CB links: Documentation - Localization - CB Quickstart - CB Paid Subscriptions - Add-Ons - Forge
--
If you are a Professional, Developer, or CB Paid Subscriptions subscriber and have a support issue please always post in your respective support forums for best results!
--
If I've missed your support post with a delay of 3 days or greater and are a Professional, Developer, or CBSubs subscriber please send me a private message with your thread and will reply when possible!
--
Please note I am available Monday - Friday from 8:00 AM CST to 4:00 PM CST. I am away on weekends (Saturday and Sunday) and if I've missed your post on or before a weekend after business hours please wait for the next following business day (Monday) and will get to your issue as soon as possible, thank you.
--
My role here is to provide guidance and assistance. I cannot provide custom code for each custom requirement. Please do not inquire me about custom development.
Replied by krileon on topic send password reset token in password recovery email
I do not have a time frame for the forgot login redesign.
Kyle (Krileon)
Community Builder Team Member
Before posting on forums: Read FAQ thoroughly + Read our Documentation + Search the forums
CB links: Documentation - Localization - CB Quickstart - CB Paid Subscriptions - Add-Ons - Forge
--
If you are a Professional, Developer, or CB Paid Subscriptions subscriber and have a support issue please always post in your respective support forums for best results!
--
If I've missed your support post with a delay of 3 days or greater and are a Professional, Developer, or CBSubs subscriber please send me a private message with your thread and will reply when possible!
--
Please note I am available Monday - Friday from 8:00 AM CST to 4:00 PM CST. I am away on weekends (Saturday and Sunday) and if I've missed your post on or before a weekend after business hours please wait for the next following business day (Monday) and will get to your issue as soon as possible, thank you.
--
My role here is to provide guidance and assistance. I cannot provide custom code for each custom requirement. Please do not inquire me about custom development.
Please Log in to join the conversation.
- pdolezel
- OFFLINE
-
Junior Member
- Posts: 21
- Thanks: 2
- Karma: 0
4 years 2 weeks ago #317428
by pdolezel
Replied by pdolezel on topic send password reset token in password recovery email
Thanks again, @krileon. One last post on this topic please.
Any hint you can give me on which file I could change the reroute from Joomla's native Password reset and Username reminder pages to /cb-forgot-login? I realize CB cannot recommend or endorse this, and that I am on my own if I make these changes. I'm a decently experienced Joomla user so I'm comfy with making these changes every time I upgrade CB.
Thanks a bunch!
Any hint you can give me on which file I could change the reroute from Joomla's native Password reset and Username reminder pages to /cb-forgot-login? I realize CB cannot recommend or endorse this, and that I am on my own if I make these changes. I'm a decently experienced Joomla user so I'm comfy with making these changes every time I upgrade CB.
Thanks a bunch!
Please Log in to join the conversation.
- krileon
- Team Member
- OFFLINE
- Posts: 68482
- Thanks: 9075
- Karma: 1434
4 years 2 weeks ago #317431
by krileon
Kyle (Krileon)
Community Builder Team Member
Before posting on forums: Read FAQ thoroughly + Read our Documentation + Search the forums
CB links: Documentation - Localization - CB Quickstart - CB Paid Subscriptions - Add-Ons - Forge
--
If you are a Professional, Developer, or CB Paid Subscriptions subscriber and have a support issue please always post in your respective support forums for best results!
--
If I've missed your support post with a delay of 3 days or greater and are a Professional, Developer, or CBSubs subscriber please send me a private message with your thread and will reply when possible!
--
Please note I am available Monday - Friday from 8:00 AM CST to 4:00 PM CST. I am away on weekends (Saturday and Sunday) and if I've missed your post on or before a weekend after business hours please wait for the next following business day (Monday) and will get to your issue as soon as possible, thank you.
--
My role here is to provide guidance and assistance. I cannot provide custom code for each custom requirement. Please do not inquire me about custom development.
Replied by krileon on topic send password reset token in password recovery email
You can disable the rerouting entirely within our system plugin in Extensions > Plugins.
Kyle (Krileon)
Community Builder Team Member
Before posting on forums: Read FAQ thoroughly + Read our Documentation + Search the forums
CB links: Documentation - Localization - CB Quickstart - CB Paid Subscriptions - Add-Ons - Forge
--
If you are a Professional, Developer, or CB Paid Subscriptions subscriber and have a support issue please always post in your respective support forums for best results!
--
If I've missed your support post with a delay of 3 days or greater and are a Professional, Developer, or CBSubs subscriber please send me a private message with your thread and will reply when possible!
--
Please note I am available Monday - Friday from 8:00 AM CST to 4:00 PM CST. I am away on weekends (Saturday and Sunday) and if I've missed your post on or before a weekend after business hours please wait for the next following business day (Monday) and will get to your issue as soon as possible, thank you.
--
My role here is to provide guidance and assistance. I cannot provide custom code for each custom requirement. Please do not inquire me about custom development.
Please Log in to join the conversation.
Moderators: beat, nant, krileon
- Forums
- Support and Presales
- Professional Members Support
- send password reset token in password recovery email
Time to create page: 0.194 seconds
-
You are here:
- Home
- Forums
- Support and Presales
- Professional Members Support
- send password reset token in password recovery email