Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Question about 'Patterns for handling users' #95

Closed
VishKozus opened this issue Feb 20, 2016 · 2 comments
Closed

Question about 'Patterns for handling users' #95

VishKozus opened this issue Feb 20, 2016 · 2 comments

Comments

@VishKozus
Copy link

Hi Rpicard,

Your book is very good, I learn a lot from your Explore Flask series.

I have a question about 'Patterns for handling users' chapter. In this chapter, we only use expire time to ensure safety. But if user's email account was stolen in the expire times, then the one who stole our user's email account can access user's account or change user's password in our website.

Is there any way to make the token can be used only once?

Thanks you.
@rpicard
Copy link
Owner

rpicard commented Feb 21, 2016

@VishKozus You're correct. If the user's email is taken over between the time they use the token and the time it expires, the attacker would still be able to use it. To ensure the token is only used once, you could store it on the back-end (e.g. in a database of some kind) and mark it as invalid once it has been used.

Keep in mind though, that if a user's email is taken over, the attacker can always go to your website and request a new password reset token, so you don't gain any meaningful security.

@VishKozus
Copy link
Author

@rpicard
thank you! I got it !

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@rpicard @VishKozus