|
|
|
|
|
|
by jpalomaki
3529 days ago
|
|
|
One option is to avoid putting the token to the link and at least provide user a simple way of copy-pasting the token to the password reset form. Sometimes this is actually something I as user want to have, since it might be that I'm receiving the email on device A, but want to reset the password on device B. And please keep the password reset tokens sane. If you are not encoding some data into the token, you don't really need that 80 character random string for security. |
|
|
Tradeoffs...