0
KPCS created
Hi Team,
It is recommended that user can reset the password only with newly reset password link sent to the registered email.
An attacker with the physical access to the victim may use the older link to reset the password on behalf of victim.
Please suggest.
Thanks,
Kind Regards, Kumar Prashant
2 Answer(s)
-
0
Hi @KPCS
It is already implemented. Only the last reset password code is valid. Previously sent codes are not valid.
-
0
Clarification for @KPCS, @musa.demir,
it appears this "only honor the newest password reset code" was only implement 3 months ago (after this thread was opened).
https://github.com/aspnetzero/aspnet-zero-core/issues/4487
