I developed the lost password feature based on the discussion we had in
past days. It's not yet applied to CVS.
Basically, the idea is the following:
- The user asks for the password reset providing username and password
- Mantis sends an email with link to a specific page and with a check-code
- The user follows the link and Mantis will send back the new password via
email if the check-code it's right.
The checkcode is md5 of the old password, the last visit timestamp and a
application dependent key (it's a new option in the config_inc.php). In
this way the checkcode is different from application to application (key is
different), from user to user, from password to password and it's valid
only for one attempt (timestamp dependent).
What is your feedback? Am I on the right path?
In the same patch I'm going to provide the following added features (open
point in the bug tracker):
- admins/managers notification of new account created via email (new option
added in the config_inc.php to set the class)
- checkbox to auto generate a random password while creating new accounts
from the admin panel
P.S. I'm Italian and I know my English is not so good... :-)
From: Alex Netman (aka Wanderer) <badger@la...> - 2004-07-23 11:28:07
On Fri, 23 Jul 2004 08:29:22 +0200 (23.07.2004 12:29 my local time),
received Friday, July 23, 2004 at 16:15:40,
you wrote about "[Mantisbt-dev] Lost password function - First partial implementation"
at least in part:
mstac> - The user asks for the password reset providing username and password
Just one question - what is password on this stage
Alex Netman (aka Wanderer)