Issue #275 has been updated by Clément Oudot.
Jason Shugart wrote:
> Sounds good.
>
> The complex change to a number would mean 1, 2, 3, or 4 different character
> types required, I assume. That is easy.
>
> I agree 60 seconds may be too small, but 1 hour seems pretty long. I wanted
> it short for me so it would be less likely to be used again or by someone
> else. I'll set it to an hour by default and will change it for my own
> install.
>
We should maybe say that the default value is 'no expiration', it means that
this parameter does not exists:
{code}
#$token_expire = 60
{code}
This allow to upgrade the software while keeping its old configuration file. In
this case, you must test that the value exists before applying an expiration
time to the session (else with old configurations, session will always be
expired).
> For the .SID, I fought with that for awhile. I think the issue came down to
> having a session defined by a cookie using PHPSESSID. If somehow a session
> was set with this instead of token, nothing would show up when I used .SID.
> Using session_id seemed to be the most reliable way to get the id on the URL.
PHP should trust this to get session id value:
{code}
session_name("token");
session_start();
{code}
This means even if a cookie contains a PHPSESSID, as it is not the session
name, it will not be used. Do you have another behavior?
> I'll upload another patch when I get the changes made.
Great :)
----------------------------------------
Feature #275: Added a couple of features
http://tools.lsc-project.org/issues/275
Author: Jason Shugart
Status: Assigned
Priority: Normal
Assigned to: Clément Oudot
Category: Self Service Password
Target version: self-service-password-0.5
I ran across the Self Service Password tool and really liked it. However,
there were a couple of items that I thought might be useful. I coded the
changes and have tested them a bit. Feel free to adjust as needed to throw out
entirely.
My changes:
1. Email notification whenever your password is changed.
I added a $notify_on_change to the config, and if true sends an email to the
user letting them know their password was changed.
2. Added a $mail_from variable to the config.
This way any emails will have a valid return address.
3. Token expiration
The previous code could potentially allow someone else to reset your
password if they found the link in their email. I added an expiration time
(default to 60 seconds) so any request after the 60 seconds to change the
password will result in an invalid token.
4. Added a complex password check
Much like the windows complexity check for 3 of the 4 character types
(upper, lower, digits, special).
5. Fixed a couple of bugs in the check_password_strength function calls
I'll attach the patch files.
--
You have received this notification because you have either subscribed to it,
or are involved in it.
To change your notification preferences, please click here:
http://tools.lsc-project.org/my/account
_______________________________________________
ltb-dev mailing list
[email protected]
http://lists.ltb-project.org/listinfo/ltb-dev
