undefined | Better HN

0 pointslayer82y ago0 comments

How do you implement password-reset links otherwise? I mean, those should be short-lived, but still.

0 comments

You could send the user a code that they must copy paste onto the page rather than sending them a link.

Hopefully using POST not GET. The GET links get logged in the HTTP server most of time. Just another great way to store your 'security credential' in plain text. Logs gets zipped and archive. Good luck with any security measure.

andersa2y ago

I mean of course the idea was to put it in a form that is sent using POST, but even then, it's a single-use reset code so once it shows in the log it's worthless.

1 more reply

hnlmorg2y ago

As you said, short lived codes. And the codes don’t contain any PII. So even if the link does get indexed, it’s meaningless and useless.

12312321312312y ago

A short-lived link that's locked down to their user agent/IP would work as well.

j / k navigate · click thread line to collapse

0 comments

andersa2y ago

You could send the user a code that they must copy paste onto the page rather than sending them a link.

vmfunction2y ago

andersa2y ago

I mean of course the idea was to put it in a form that is sent using POST, but even then, it's a single-use reset code so once it shows in the log it's worthless.

1 more reply

hnlmorg2y ago

As you said, short lived codes. And the codes don’t contain any PII. So even if the link does get indexed, it’s meaningless and useless.

12312321312312y ago

A short-lived link that's locked down to their user agent/IP would work as well.

j / k navigate · click thread line to collapse