Closed
Description
Explanation
This is a low-impact but sub-optimal behavior for PW reset flows. The scenario is as follows:
- User requests PW reset
- User remembers password and logs in normally
- PW reset is NOT validated, and the token/link remains valid for the usual duration
The fix would be making sure to invalidate any outstanding PW reset token when the user logs in.
This would be a P5, nested like so:
Insufficient Security Configurability > Weak Password Reset Implementation > Token is Not Invalidated After Login