Why should we make account activation/password reset links expire after some time?

可紊 提交于 2019-12-21 12:12:50

问题


Would there be any big issues if they never expire?

Somebody forgot his password and requests to reset his password, an email with the password reset link is sent to him.

He then suddenly remembers his password and so he simply ignores the password reset email. But after a few days, he forgot again. Since he already has a password reset email in his mailbox, he simply clicks on that link to go back to the website to reset his password.

This seems ok, so why should we make account activation/password reset links expire after some time?


回答1:


What if their email account was compromised. The attacker then sees all these "password reset" links and clicks through them further compromising more accounts. Among them your service which may use Real Money or Credit Card information.



来源:https://stackoverflow.com/questions/4515469/why-should-we-make-account-activation-password-reset-links-expire-after-some-tim

易学教程内所有资源均来自网络或用户发布的内容,如有违反法律规定的内容欢迎反馈
该文章没有解决你所遇到的问题?点击提问,说说你的问题,让更多的人一起探讨吧!