undefined | Better HN

0 pointsandersa2y ago0 comments

I mean of course the idea was to put it in a form that is sent using POST, but even then, it's a single-use reset code so once it shows in the log it's worthless.

0 comments

fullspectrumdev2y ago

This makes a large assumption about application logic that is often incorrect.

t. security auditor/researcher.

rapind2y ago

It certainly does. Security usually comes at the cost of convenience and can incur confusion.

In this example, where best practice may be to use one time tokens, you will end up with users who click on the secure link again (from their email) in the future to access the secure site and they’ll be frustrated when they have to go through the secure link generation dance again.

Of course you can mitigate this with sessions / cookies, but that is also a security compromise and not device portable.

It’s easy to say that these are minor uxp concerns, but enforcing a high level of security may have a significant user cost depending on your demographic. I have a demographic that skews older and non technical and they are pretty loud when they complain about this stuff… meanwhile they are also more likely to reuse passwords and forward emails with secure links in them!

conductr2y ago

Some people will always find something to complain about. I feel like it’s completely reasonable to give a “sorry this link was only valid for 5 minutes and is now expired, request a new code here” message. State it in the email that originally contained the link and state it again on the page when they click it afterwards. This is incredibly common practice and very unlikely to be the first time someone has seen this workflow. If they want to complain further, direct them to a password manager and remind them there’s probably one built into their browser already

1 more reply

j / k navigate · click thread line to collapse