Open artfulbodger opened 6 years ago
After token validation, the email address entered is checked against the email address used to request the reset. This check doesn't use case insensitivity as suggested by https://www.owasp.org/index.php/Authentication_Cheat_Sheet#User_IDs
Example: John.Smith@example.com != john.smith@example.com.
the Email address should be stored with the token in lowercase, and when validating, the user input should be checked using ToLower().
After token validation, the email address entered is checked against the email address used to request the reset. This check doesn't use case insensitivity as suggested by https://www.owasp.org/index.php/Authentication_Cheat_Sheet#User_IDs
Example: John.Smith@example.com != john.smith@example.com.