Fast Uncompromising Discussions. FUDforum will get your users talking.

Home » FUDforum » FUDforum Suggestions » Password reset e-mails (Suggested change to text of password reset confirmation message)
Show: Today's Messages :: Unread Messages :: Polls :: Message Navigator
| Subscribe to topic | Bookmark topic 
Switch to threaded view of this topic Create a new topic Submit Reply
Password reset e-mails [message #187079] Tue, 15 March 2016 16:39
dgt224 is currently offline  dgt224   United States
Messages: 2
Registered: March 2016
Location: Augusta, Georgia, USA
Karma: 0
Junior Member
add to buddy list
ignore all messages by this user
In .../thm/default/tmpl/reset.tmpl, reset_newpass_msg is defined to include the text of reset_suffix. That incorporates the following text into the message informing a user that their password has been changed:
If you received this message in error, please ignore it. 
If you are receiving multiple copies of this e-mail, which you 
have not requested, please contact the forum administrator at ...

I suggest that including this text when the user's password has actually been changed is seriously misleading. As far as I can tell, reset_newpass_msg is never sent unless the user's password has been changed, so the user will subsequently be unable to log in on the forum that sent the message. There are other places where reset_suffix is appropriate, because the message can be triggered by an attacker without actually causing any damage. But in this case someone other than the user has apparently managed to trigger the password reset process and access the reset link with the correct key; I have been unable to think of a way to do so that doesn't involve reading the user's e-mail messages. That doesn't sound to me like something the user should ignore; in fact, it suggests that the user's login has been successfully hijacked and that their e-mail account has been compromised.

Since the first e-mail message sent for a password reset (reset_reset) also includes reset_suffix, it may suffice to simply remove reset_suffix from reset_newpass_msg. Alternatively, a new message based on reset_suffix but without the suggestion that the message be ignored could be added and used here.
Quick Reply
Formatting Tools:   
  Switch to threaded view of this topic Create a new topic
Previous Topic: A place to hold downloads/attachments in one place
Next Topic: Suggestion for fudforum.org/forum and the FAQ link.
Goto Forum:

-=] Back to Top [=-
[ Syndicate this forum (XML) ] [ RSS ]

Current Time: Fri Jan 28 04:27:53 EST 2022

Total time taken to generate the page: 0.00661 seconds