When a user uses the »I forgot my password« link several times and gets a couple of emails, each one with a tokenized link to reset his password, what would be the appropriate behaviour?
- All links work and he can reset his password as many times he likes.
- Only the link in the newest email works and the others aren't valid anymore.
- It does not matter which token is being used and all remaining links become invalid.
Answer
Keep track of active reset links for a given email address. If a link is still active, and the 'forgot password'-button is clicked again, resend the active reset link. You can even warn the user that an email was already sent and that she should maybe check her spam folder.
You still run into the problem that no reset link should be active for longer than about 24 hours. It's probably bad security to extend this period for every time the email is requested, so this period should still count from the first request, no matter how many requests follow. From about one hour before the end, a new request should start a new reset link, with a fresh 24-hour window. There's no real need to disable the old one, as it will be disabled soon anyway. This is a potentially confusing situation, but it should be a rare occurrence.
If a user clicks a disabled link, make sure to give really clear instructions, as the user will be confused, and you have all the information to remove this confusion. Tell her she clicked a link that was requested too long ago. If there are active reset links, tell her to check for the most recent reset email. If there aren't any active links, tell her to request again.
No comments:
Post a Comment