I was reading an article this morning about how to prepare for GDPR and it mentions how to handle password reset requests. The suggestion is that we shouldn't be confirming whether or not an account exists based on the details provided.
Could a malicious user compromise data by triggering an error? For example, if a user enters email addresses in a āForgot Emailā form, will the form confirm that the password reminder has been sent (and by inference confirm that the user has an account)?
If an account doesn't exist Craft informs the user:
Should this be changed so that the submission always succeeds, with the request only being processed if an account exists and failing silently if one doesn't?
lukeyouell
All 2 comments
Thereās a config setting for that :) https://craftcms.com/docs/config-settings#preventUserEnumeration
brandonkelly
on 27 Mar 2018
@brandonkelly Impressive! Thanks!
lukeyouell
on 27 Mar 2018
Related issues
angrybrad
Ā·
3Comments
bitboxfw
Ā·
3Comments
leigeber
Ā·
3Comments
brandonkelly
Ā·
3Comments
michaelhue
Ā·
3Comments
Most helpful comment
Thereās a config setting for that :) https://craftcms.com/docs/config-settings#preventUserEnumeration