Expand forgotten password link testing (4.5.9) #370
Description
Expand the guidance around the testing forgotten password links in 4.5.9 to include checks that the link:
-
Is actually random (not something stupid like
sha1($email) -
Can only be used once
-
Expires after a period of time
-
Doesn't include a user ID or other value that can be tampered
-
If they're using a JWT for the link, that it's not vulnerable to the usual stuff
-
Assign me, please!