|
|
|
|
|
|
by nchelluri
3526 days ago
|
|
|
I don't think it's so simple. Before generating the PW reset link, someone might try to login first. So they'd enter bob@example.com into the login form and then when that failed, it's not uncommon to redirect with error-msg-in-session to /login?email=bob@example.com . So you'd leak the email first. |
|
|