Ignore:
Timestamp:
Jul 28, 2014, 9:27:50 PM (10 years ago)
Author:
plg
Message:

bug 3050: increase security on reset password algorithm.

  • reset key has a 1-hour life
  • reset key is automatically deleted once used
  • reset key is stored as a hash

Thank you effigies for code suggestions

File:
1 edited

Legend:

Unmodified
Added
Removed

  • trunk/include/functions_user.inc.php

    r29075 r29111  
    14671467    .','.pwg_db_get_recent_period_expression(1,$user['last_photo_date']).')';
    14681468}
    1469 
    1470 /**
    1471  * Returns a unique activation key.
    1472  *
    1473  * @return string
    1474  */
    1475 function get_user_activation_key()
    1476 {
    1477   while (true)
    1478   {
    1479     $key = generate_key(20);
    1480     $query = '
    1481 SELECT COUNT(*)
    1482   FROM '.USER_INFOS_TABLE.'
    1483   WHERE activation_key = \''.$key.'\'
    1484 ;';
    1485     list($count) = pwg_db_fetch_row(pwg_query($query));
    1486     if (0 == $count)
    1487     {
    1488       return $key;
    1489     }
    1490   }
    1491 }
    1492 
    14931469?>
Note: See TracChangeset for help on using the changeset viewer.