Reset password

[rudy1976s]

Hello After a successfull reset password, the Users.resetPasswordUserId session key is persisted.

in PasswordManagementTrait there is check to validate the reset password confirmation workflow :

$user->id = $this->getRequest()->getSession()->read(
                Configure::read('Users.Key.Session.resetPasswordUserId')
            );

DO you think would be better to delete it to prevent access to reset-password page without the confirmation workflow ?

I added it in on my subclass of the trait before dispatching EVENT_AFTER_CHANGE_PASSWORD.

Now if user try to access the reset url without requesting a password it will be redirected to login .

Rudy

[ajibarra]

@rudy1976s is this still an issue in latest version?