amnah
commented
9 years ago I'd recommend implementing some form of captcha first. This is easy to accomplish and should handle a majority of cases. But if you still want to implement some rate limiting, then you'd need to add a check for the last UserKey generated.
For both solutions, you'll need to extend/update models/forms/ForgotForm.php
db012
Hello, thank you very much for your awesome work. I would like to avoid an abuse of forgot password feature, so in function sendForgotEmail() of ForgotForm module I could check if the previous key was generated for example less than 30 minutes ago. Do you think is there a way to set a maximum number of key generated in a single day for each user (also 48 emails per day are too much) ? Thank you very much for your kind attention