Open mawiseman opened 6 years ago
Thanks @mawiseman for valid point, which indeed makes sense to implement. It is however much more complex solution than current one, and therefore is way more risky to introduce even bigger vulnerability.
In fact, it will also require to replace password recovery mechanism on Sitecore login page because SignUpRules relies on it.
I think it would be better practice (and probably more secure) to send a link with userid and expiration date via jwt and force the user to choose their own password
https://jwt.io/
This would mean