0003706: Password reminder

ID	Project	Category	View Status	Date Submitted	Last Update
0003706	mantisbt	bugtracker	public	2004-03-31 22:38	2004-08-29 02:35

Reporter	DGtlRift	Assigned To	vboctor
Priority	normal	Severity	feature	Reproducibility	always
Status	closed	Resolution	duplicate

Summary	0003706: Password reminder
Description	It would be nice feature for a user that cannot remember their password to either have a password reminder or an authentication url token to change the password be emailed to the user.
Tags	No tags attached.

stef02 2004-05-07 09:35 reporter ~0005475	It isn't very secure to send a password by mail. We do it like this: Store a random generated ID in the session and send the ID by mail. The user enter this ID and can enter a new password. The ID only is valid while the browser of the user is open!

redcom 2004-05-10 07:49 reporter ~0005483	This seems like a very reasonable meathod to protect the users. How difficult would it be to impliment? Would there need to be another cookie?

stef02 2004-05-10 08:02 reporter ~0005484	It's very easy to implement this. We use the PHP Session and save the SessID as cookie. So we only have one cookie for our whole site. Another nice option is to disable the user account after 3 retries. The user now can activate his account by using the lost password function. If you want I can try to implement this function to mantis. Please describe how I can do this (CVS?)

vboctor 2004-07-19 16:59 manager ~0006153	Reminder sent to masc Marcello, can you please update this issue with the discussions that occurred in mantisbt-dev?