User should have to click on a link to reset their password not have their password reset automatically

[mbainrot]

While testing my opencart installation in prep for opening up shop I have discovered a very worrying issue.

When you request a password reset it just resets the password, it does not give the user an opportunity to click a link to confirm that they want to reset their password.

This could be used by malicious users to block customers from being able to log into their account.

[opencart]

if they knew the customer email address was a member

[manishcipl]

Hi Open cart Team,

What should if the user is currently login to the open cart site and doing a payment and someone enters his email address at forgot password page and his password got reset ? So this approach is not good . I think the admin reset password should also be apply to the customer's password reset.

Regards,
Manish Sharma

[rgbworld]

Hello,
This issue should be reopened and properly addressed. Stating that the person requesting the password reset would need to know a customer's email address is true, does not solve the issue. Basically anyone can reset anyone elses password.

The correct solution is to send a password reset link to the email address on file. Then you can be certain that the request came from the member.

Best regards,
Chris Kassa

[arthurpf]

Hi,

I'm starting a Opencart store for my cliente and faced the same issue. I think it should be changed, or at least ask for a captcha when customer type their email address.
I agree with rgbaworld. It should be reopened or at least give two options on admin panel: automatically reset or send a reset link.

[212nath]

This is quite an annoying issue. Why can't it be the same as when the admin clicks forget their password, and an email with a link to reset the password is sent?