It's possible that a hash could be generated for a password request timestamp of NULL. This could mean somebody (very clever) could figure out the URL to reset a password for somebody who never requested it.
We should check both when rendering the page and dealing with the form that the user's password requested at timestamp is not null.
It's possible that a hash could be generated for a password request timestamp of NULL. This could mean somebody (very clever) could figure out the URL to reset a password for somebody who never requested it.
We should check both when rendering the page and dealing with the form that the user's password requested at timestamp is not null.