Recent Topics

1 Jul 10, 2006 20:59    

I've been having some trouble with my website lately.

Several users have emailed me complaining that they are getting unsolicited "Lost Password" requests. Because B2evo automatically changes the password without any kind of verification, this is a major annoyance for a lot of users, and now, it has started happening to me as well. Granted, it's not a security concern, it's just a giant hassle because anyone can come in, access the "Lost your password?" page, and have the password changed on any of the user accounts.

Short of completely deleting the lost password page, is there anything that can be done to add a security measure to this feature?

2 Jul 10, 2006 23:20

The best way for this should be to do like PhpBB does: the new password is stored in a "new password" field, then this new pass is mailed to the user with a link with a link containing an activation code to activate that new password for the user. This means if the link is not clicked the password is not changed.

There is an other solution which is to prevent anybody to access the password recovery page, which is a simple htaccess rule.

Please tell which solution you prefer, and I may write a hack to help you ;)

3 Jul 11, 2006 01:00

What version are you running?

4 Jul 11, 2006 22:47

Preferably I'd like to have something like PHPbb2 does like you mentioned, but worse comes to worse I'll just prevent access to the lost password form.

As for the version: I'm running version 0.9.2. I noticed on the feature list of v 1.6 alpha that it does something like we were writing about above, so I'm going to try borrowing some code from that version and playing around with it.

5 Jul 11, 2006 22:50

Hambriq wrote:

As for the version: I'm running version 0.9.2. I noticed on the feature list of v 1.6 alpha that it does something like we were writing about above, so I'm going to try borrowing some code from that version and playing around with it.

Why would you want to grab code from the alpha version, when the beta version has been released;
http://b2evolution.net/news/2006/07/09/b2evolution_1_8_summer_beta_released


Form is loading...