Booked Scheduler Community Support
December 14, 2018, 10:35:03 PM *
Welcome, Guest. Please login or register.
Did you miss your activation email?

Login with username, password and session length
News: Booked is proud to recommend Shift Capsule in the employee shift scheduling space www.ShiftCapsule.com
 
   Home   Help Login Register  
Pages: [1]
  Print  
Author Topic: 'Remember me' functionality and 'disable.password.reset'  (Read 97 times)
lorenzov.bookedscheduler
Newbie
*

Karma: 0
Posts: 14


« on: November 29, 2018, 03:55:28 PM »

If we understood well (our tests bring us to suppose so), the 'Remember me' functionality is risky.
Someone could reset the password of our users only knowing their e-mails (this could be easy if we don't hide reservation details).
We suggest to use a different approach, for example sending an e-mail with a one-time-code known by the server and asking this code before actually doing the reset of the password.

Moreover, setting 'disable.password.reset' to TRUE disables the 'Remember me' functionality (and we need that based on what we described above) but also disables the possibility for the user to change his password after logging into the application. A setting should exist that disable the 'Remember me' functionality but allows change of password after login.
Logged
Blackeyez
Newbie
*

Karma: 0
Posts: 2


« Reply #1 on: December 11, 2018, 03:00:51 AM »

That what you have described, it is appropriate to make a lot of good response from people around the world.
Logged
Pages: [1]
  Print  
 
Jump to:  

Powered by MySQL Powered by PHP Powered by SMF 1.1.20 | SMF © 2006-2007, Simple Machines Valid XHTML 1.0! Valid CSS!