#27518: HTTP Referer leaks password reset link -------------------------------------+------------------------------------- Reporter: Romain Garrigues | Owner: Romain Type: | Garrigues Cleanup/optimization | Status: assigned Component: contrib.auth | Version: 1.10 Severity: Normal | Resolution: Keywords: password reset | Triage Stage: Accepted Has patch: 0 | Needs documentation: 0 Needs tests: 0 | Patch needs improvement: 0 Easy pickings: 0 | UI/UX: 0 -------------------------------------+-------------------------------------
Comment (by Florian Apolloner): @Romain Garrigues: So what I imagine is the following: * The user gets the link: ''/reset/Mq/asdga-yxflkjxc78121/'' * You store ''asdga-yxflkjxc78121'' in the session and redirect to ''/reset/Mq/set-password/'' (luckily our regex allows for this) * if the token is ''set-password'' and the session has the proper value we can reset the password This allows us to: * Do not alter the password for the user twice * Keep the most compatibility with the existing system (same URL etc, no changes needed unless you manually changed the regex) * Not leak any information (only Mq which is the user id, which is guessable anyways) * We do not have to store any extra information in the session Is that clear enough? If yes, do you want to try a patch against the class based views in master? -- Ticket URL: <https://code.djangoproject.com/ticket/27518#comment:6> Django <https://code.djangoproject.com/> The Web framework for perfectionists with deadlines. -- You received this message because you are subscribed to the Google Groups "Django updates" group. To unsubscribe from this group and stop receiving emails from it, send an email to django-updates+unsubscr...@googlegroups.com. To post to this group, send email to django-updates@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/django-updates/064.c7c8006ccfe2bd686aff4f91b7241d7f%40djangoproject.com. For more options, visit https://groups.google.com/d/optout.