Thanks Pierre,

I think we already have a Jira [1] for this and there are ongoing efforts to change this.

Please check if you like to add your proposal to the issue.

Thanks,

Michael Brohl
ecomify GmbH
www.ecomify.de


[1] https://issues.apache.org/jira/browse/OFBIZ-4361


Am 27.02.18 um 15:46 schrieb pierre.gaudin:
I would like to make an evolution in the management of the request of password loss.

At present the stages are the following ones:
  1 - Request of loss of password (by the user)
  2 - Change of password by a temporary one (by the system)
  3 - Send of an e-mail with a link to define a new password (by the system)
  4 - Set the new password (by the user)
  5 - Recording of the new password (by the system)

This workflow is problematic because the change of password is made as soon as the person confirms the change of password (stage 2). It is possible that the person who makes the change of password is not the person associated with the account.

Here is a proposal of modification of the workflow
  1 - Request of loss of password (by the user)
  2 - Recording of a request of lost of password associated with the login (by the system)   3 - Send of an e-mail to confirm the request of change of password with a link containing the reference of the request to change of password (by the system)   4 - Connection of the user to the form to change the password and seized with a new password (by the user)
  5 - Check that the login and the request are associated
  6 - Recording of the new password (by the system)

What do you think about this change?


Pierre



Attachment: smime.p7s
Description: S/MIME Cryptographic Signature

Reply via email to