Multiple password reset attempts generate error messages rather than simply succeeding
Closed this issue · 1 comments
Received an email from a user where they couldn't reset their password due to the following error:
I have tried to reset my password, but I get the following error:
Password was not reset as AUTH_KEY did not match
This may occur because they clicked multiple times on the reset password link, but it should not be visible to the user and should appear no different to any other password reset attempt.
Not sure why it started to work for them again today after it failed on Friday as I didn't change anything in the database or code myself but this particular user no longer has this issue.
In addition to getting support emails after they do this and wonder why it appears to fail, we are providing confirmation that a particular user exists (attempting to reset any valid users password twice reveals that the user exists) which is a security/privacy issue.
Some strategies on how to build a secure password reset facility, which we may already be doing most of can be found at:
https://www.troyhunt.com/everything-you-ever-wanted-to-know/