Hi Gaurav, this is just a blog, not online banking, so I don't think we
should be storing security questions, as *that* becomes a security hole
(A bad guy blog administrator can gather blogger's security answers by
reading the table and use *that* to go after blogger's online banking
sites, etc.) In many cases blogs are either single-user or students at
a school (http://blogs.mervpolis.com/roller/), nothing serious, and the
blog admin can always change an individual blogs's password if needed
even without ROL-9.
I think what we need is an ability to email a reset password for a given
email address (not the old real password, but a reset one that is some
random string, different for each request), *and* a blog-administration
level setting allowing/disallowing emailed password resets, so if this
option is disallowed for security reasons Roller will be back to what it
presently is, where only admins can reset passwords. Perhaps other
Apache webapp projects (JSPWiki? maybe some others) already have this
password reset functionality so Roller can copy that code over directly.
Regards,
Glen
On 12/13/2013 08:12 AM, Gaurav wrote:
Hello,
I was wondering about the forgotten passwords feature is missing in
Roller, I found this issues already there in JIRA in popular issues [1].
I am thinking to fix this issue, as this is major issue in case user
lost its password. I am thinking of adding a new field in user
registration form of security question where we can have some default
questions and its answer we can store in the database. This question
can be used in case user forget the password.
I want some starting help, how I should go for solving this issue ?
Thanks in Advance for any help.
[1] - https://issues.apache.org/jira/browse/ROL-9
