Web based family history software

This Help forum is for issues relates to the latest release (1.4.6). For issues related to beta or git version please use their own Help forum.
Before asking for help please read "How to request help" by clicking on that tab above here.

Question Request for password

  • Jacoline
  • Topic Author
  • Away
  • Senior Member
  • Senior Member
More
10 years 8 months ago #1 by Jacoline
Request for password was created by Jacoline
I occ. delete my logfiles and before I do it I allways look after any isues. And I like this feature cause I really do catch some because of those :)

And I noticed a user (not not of mine - nobody can request user access as default by me) asked for a new password. (the log files told that she did that more than 6 times) And I tested this myself.

I used a google gmail I have and this gmail is not in my userlist. And I got this nice receipt that a new password was send to the email.

I have no idea what the code does. But should it not say: the email is not registred instead since it is not registred in my user table?

Still a noob
(1st installation at 7-21-2010)

Please Log in or Create an account to join the conversation.

More
10 years 8 months ago #2 by fisharebest
Replied by fisharebest on topic Request for password
You get the same message whether the account exists or not.

This is to prevent an attacker from being able to guess usernames/emails and find out which ones are genuine.

It is similar to the error message "This individual does not exist or you do not have permission to see it". We don't say whether the individual actually exists or not.

Greg Roach - greg@subaqua.co.uk - @fisharebest@phpc.social - fisharebest.webtrees.net

Please Log in or Create an account to join the conversation.

  • Jacoline
  • Topic Author
  • Away
  • Senior Member
  • Senior Member
More
10 years 8 months ago - 10 years 8 months ago #3 by Jacoline
Replied by Jacoline on topic Request for password
Oh I see

Good point :)

In my case I actually do not think it was an attacker - just a dane - that did not read my message file (the email was a danish name and email host)

But could it not contain this too: If your email is registred an email with new password will be xxxxxx ect. (will prolly not see it anyway and btw I can not get it translated to danish)

Still a noob
(1st installation at 7-21-2010)

Last edit: 10 years 8 months ago by Jacoline.

Please Log in or Create an account to join the conversation.

Powered by Kunena Forum
}