Advanced search  

News:

cpg1.5.48 Security release - upgrade mandatory!
The Coppermine development team is releasing a security update for Coppermine in order to counter a recently discovered vulnerability. It is important that all users who run version cpg1.5.46 or older update to this latest version as soon as possible.
[more]

Pages: 1 [2]   Go Down

Author Topic: forgot password issue  (Read 12239 times)

0 Members and 1 Guest are viewing this topic.

donnoman

  • Dev Team member
  • Coppermine addict
  • ****
  • Offline Offline
  • Gender: Male
  • Posts: 1615
  • From donovanbray.com
    • Donovan Bray
Re: forgot password issue
« Reply #20 on: March 06, 2005, 01:38:34 am »

The way to stop the brute force truely is to use the same technique that we do logins, x many attempts in y amount of time = lockout of z minutes.

Whether its a password change, or a password reset request.
Logged

omniscientdeveloper

  • VIP
  • Coppermine addict
  • ***
  • Offline Offline
  • Gender: Male
  • Posts: 901
Re: forgot password issue
« Reply #21 on: March 06, 2005, 02:20:02 am »



I'd prefer if you use the make_password method to create a special hash, one not related to anything already stored. Tie this with the requester's session, so it'll die after a time or if they remember and login. With that, all you'll need to pass is the user's email address or user_id in the url, which the requester should already know, since it could be easy to find. With this, I wouldn't worry about any brute force attempts, since it wouldn't work without the correct special hash and access to the user's email.
Logged

Joachim Müller

  • Dev Team member
  • Coppermine addict
  • ****
  • Offline Offline
  • Gender: Male
  • Posts: 47843
  • aka "GauGau"
    • gaugau.de
Re: forgot password issue
« Reply #22 on: March 21, 2005, 09:09:28 am »

can this still be implemented for cpg1.4.x (and if yes, who will do so?), or should we mark the entire thread as "known issue" and schedule it for cpg1.5?

Joachim
Logged

omniscientdeveloper

  • VIP
  • Coppermine addict
  • ***
  • Offline Offline
  • Gender: Male
  • Posts: 901
Re: forgot password issue
« Reply #23 on: March 21, 2005, 02:02:26 pm »

I've already done this also. I can't commit until Saturday, because I am away.
Logged

Joachim Müller

  • Dev Team member
  • Coppermine addict
  • ****
  • Offline Offline
  • Gender: Male
  • Posts: 47843
  • aka "GauGau"
    • gaugau.de
Re: forgot password issue
« Reply #24 on: March 22, 2005, 06:38:11 am »

OK, good to hear that.

Joachim
Logged

Joachim Müller

  • Dev Team member
  • Coppermine addict
  • ****
  • Offline Offline
  • Gender: Male
  • Posts: 47843
  • aka "GauGau"
    • gaugau.de
Re: forgot password issue
« Reply #25 on: April 03, 2005, 02:04:24 pm »

*bump*
Logged

Joachim Müller

  • Dev Team member
  • Coppermine addict
  • ****
  • Offline Offline
  • Gender: Male
  • Posts: 47843
  • aka "GauGau"
    • gaugau.de
Re: forgot password issue
« Reply #26 on: July 31, 2005, 12:14:54 pm »

[moderation]
bumping this unresolved thread to the top...
Logged

Joachim Müller

  • Dev Team member
  • Coppermine addict
  • ****
  • Offline Offline
  • Gender: Male
  • Posts: 47843
  • aka "GauGau"
    • gaugau.de
Re: forgot password issue
« Reply #27 on: August 09, 2005, 09:28:48 am »

sent an email to Chris, asking him if he still has the proposed fix.
Logged

omniscientdeveloper

  • VIP
  • Coppermine addict
  • ***
  • Offline Offline
  • Gender: Male
  • Posts: 901
Re: forgot password issue
« Reply #28 on: August 26, 2005, 09:41:27 am »

I posted a fix in the dev board.
Logged

omniscientdeveloper

  • VIP
  • Coppermine addict
  • ***
  • Offline Offline
  • Gender: Male
  • Posts: 901
Re: forgot password issue
« Reply #29 on: September 06, 2005, 10:53:55 am »

Done.

updated in CVS by Gau.
Logged
Pages: 1 [2]   Go Up
 

Page created in 0.016 seconds with 19 queries.