|
|
|
|
|
|
by bahjoite
3529 days ago
|
|
|
>Redirect is the cleanest solution. Exactly. Submitting tokens via GET requests (as is necessary for an emailed token) should be handled in the same way as POST (POST-redirect-GET): the resource which validates the token should not be the one that presents the "password reset" form. |
|
|