locked Re: ANOTHER DISASTER - a member reset another member's password


The password reset link should probably expire after 30 minutes to an hour. That gives it time in case the email is slow but limits the amount of damage it can do if someone else gets it somehow. If the real user doesn't have time after generating the password reset to use it, that user can always generate a new password reset link later.


Join main@beta.groups.io to automatically receive all group messages.