Base solution for your next web application
Open Closed

Reset Password #10887


User avatar
0
KPCS created

Hi Team,

It is recommended that user can reset the password only with newly reset password link sent to the registered email.

An attacker with the physical access to the victim may use the older link to reset the password on behalf of victim.

Please suggest.

Thanks,

Kind Regards, Kumar Prashant


2 Answer(s)
  • User Avatar
    0
    musa.demir created

    Hi @KPCS

    It is already implemented. Only the last reset password code is valid. Previously sent codes are not valid.

  • User Avatar
    0
    hra created

    Clarification for @KPCS, @musa.demir,

    it appears this "only honor the newest password reset code" was only implement 3 months ago (after this thread was opened).

    https://github.com/aspnetzero/aspnet-zero-core/issues/4487