artfulbodger
commented
6 years ago the Email address should be stored with the token in lowercase, and when validating, the user input should be checked using ToLower().
Open artfulbodger opened 6 years ago
artfulbodger
commented
6 years ago the Email address should be stored with the token in lowercase, and when validating, the user input should be checked using ToLower().
After token validation, the email address entered is checked against the email address used to request the reset. This check doesn't use case insensitivity as suggested by https://www.owasp.org/index.php/Authentication_Cheat_Sheet#User_IDs
Example: John.Smith@example.com != john.smith@example.com.