[
https://issues.apache.org/jira/browse/JSPWIKI-159?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12935661#action_12935661
]
Stefan Bohn commented on JSPWIKI-159:
-------------------------------------
Janne
"Allowing login credentials for password recovery is a problem, since that
means that you could be subjected to a denial-of-service attack. Say, have a
bot reset your password every few minutes."
Like other sites, we could first send an email with a (temporary?) link to
confirm the change request. Then the user has to follow the link to change the
password.
> Getting an new password is only possible for one user per mail address
> ----------------------------------------------------------------------
>
> Key: JSPWIKI-159
> URL: https://issues.apache.org/jira/browse/JSPWIKI-159
> Project: JSPWiki
> Issue Type: Bug
> Components: Authentication&Authorization
> Reporter: Florian Holeczek
>
> If there's more than one user with a given email address, it's only possible
> for one of these users to get a new password via email.
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
