-
Leigh B. Stoller authored
invovling testbed ops. Split into two parts: * password.php3 gives the user a form to specify their email address and their phone number. We look for a match in the DB, with the phone number stripped of all non-numeric characters and the email addresses lowercased. If we find a matching user in the database, generate a unique key and store that into the DB along with a timestamp that allows the key to be used for a short time period (currently 30 minutes). The key is split into two parts, with half stored in the users browser (secure mode), and the other half sent to the user in an email message that contains a URL that allows the user to reset their password. * chpasswd.php3 does the rest of the operation. It takes half the key from the URL, and sucks the other half from the user's browser, combining the two halves and matching it against the key that is stored in the DB. If the key matches and the timeout has not expired, the user is given a form to specify a new password. From this point on its just a standard change password operation. Both pages are audited with email sent to the user, tbops and the audit list.
315e11ab