Reset Password
From:
Michael JasonSmith
Date:
Jan 15 04:49 UTC
Short link
The Reset Password page is used when a user has forgotten his or her password.
Currently running, as a functional prototype, is the new password reset page
http://groupserver.org/register/request_password.html
Unlike the current system, the prototype does not send out a user-name or
password, instead it send out a single link. Clicking on the link sends the
user to the Set Password page. By sending the user to this page, I hope that
he or she will get the hint and set a more memorable password ☺
The user can have as many *active* password-reset links as he or she desires.
However, as soon as one link is used, all other links become inactive. This
should maintain usability, and not compromise security too much.
Under the hood, GroupServer stores a unique ID whenever the user fills out the
Reset Password page. One user can fill out the password-reset page as many
times as he or she likes, and an ID is stored each time. The ID is sent to the
user in the email-notification, as part of a link. When the user clicks on this
link, GroupServer looks up the user using the ID, redirects him or her to the
set-password page, and removes all the old IDs from the database. The
redirection mechanism is very similar to the existing system for posts, files,
and topics.
Richard suggests that we redirect to the site homepage after the password is
set. I understand how this is useful, as it gets the user to the most useful
page more quickly. However, I wonder if the user would be confused by the
redirection, especially as we never do it in any other case. Adding to my
concerns, is the standard homepage on an active site is quite busy, and the
user may lose the “password has been set” message amongst the noise, leaving
the user wondering if the password has been set.