- Merge request !151Issue #3097238: Protect initial login link against abuse โ (Open) created by roderik
- First commit to issue fork.
- last update
almost 2 years ago 29,565 pass - Status changed to Needs review
almost 2 years ago 7:03am 30 June 2023 - last update
almost 2 years ago 29,566 pass - ๐จ๐ฆCanada Charlie ChX Negyesi ๐Canada
Serving as the Ghost of Drupal Past, as I am sure everyone remembers ;) Josรฉ added this not long ago ;) in #18719: Request New Password Security โ with a little dabbling from me but even I can't recall the reason for no timeout on first login. Re-reading the issue, it was introduced in #14 but there's no reasoning given. Considering some use cases here... for example you might be registering on an event website months ahead, get a link and never bother to go through with the actual account creation until the event comes. if we consider this a valid use case then maybe we should add instructions on how to obtain a fresh reset link -- AFAIK currently the only way in the web UI is to visit user/reset, enter the username and click... so maybe we should consider adding username prefill functionality to the user reset page and add instructions to the initial user mail?
- Status changed to Needs work
almost 2 years ago 11:58pm 2 July 2023 - ๐บ๐ธUnited States smustgrave
This seems like something that could use an issue summary update.
Is the same approach from 3 years ago still desired?
- ๐บ๐ธUnited States daddison
The issue summary still seems solid to me.
- last update
over 1 year ago 25,746 pass, 1,791 fail - First commit to issue fork.
