5

I have a 'forgot password' system set up that sends an email with a reset link to the user. M question is: How can I prevent abuse of this system? How can I make sure that people don't use this to spam peoples inboxes but still have it usable for the people that need it?

RS7
  • 2,341
  • 8
  • 34
  • 57
  • 3
    You're asking a philosophical question on a programming site. It's up to you to decide how to avoid this. The most obvious thing would to disallow an IP from multiple requests over a period of time. – Joe Phillips May 09 '11 at 23:07
  • As Joe said, this might be better off over on programmers.stackexchange.com. – Michael B May 09 '11 at 23:11

5 Answers5

4

Ask for the registered email address rather than the username? It is much less likely to be known by a malicious user.

Alternately, have a TimeOfLastReset field in your users table, and update this whenever you send an email. If CurrentTime-TimeOfLastReset is too small, then don't send.

Dan
  • 572
  • 1
  • 5
  • 11
1

When a recovery e-mail is sent, record the time at which it happened. If there are any further/too many recovery requests within a preset time interval (15 minutes? 6 hours? a day?), print a message and don't send the e-mail.

jwodder
  • 54,758
  • 12
  • 108
  • 124
  • 1
    A message like: Please allow at least 15 minutes for email to arrive and be sure to check your junk mail box. If your mail provider has not received mail from us recently, the delivery can take up to 30 minutes. – Mel May 09 '11 at 23:11
0

1) you have to know your email address (not just the username) 2) you can reset your password only once in a timespan 3) to reset doesnt work immediately, you have to click a link in the mail

ave4496
  • 2,950
  • 3
  • 21
  • 48
0

Don't think it really has the potential of being abused by spammers.

For a spammer an automated message (with fixed content) sent to the user is useless.

However what you can do is add the session id to a hidden field and check it on submit. Or add a hidden (disply: none) field with name="message" and a empty value to the form. And check if it still is empty on form submit.

Let the user both fill in their username AND e-mailaddress and verify it.

PeeHaa
  • 71,436
  • 58
  • 190
  • 262
0

if you used email as a login username, it shouldn't be a big problem since not everyone would know their email, and the fact that in order for them to be able to get a reset, their email must match in the database. Therefore it would only be sent and reset if someone entered a valid email.

robx
  • 3,093
  • 2
  • 26
  • 29