Let's say I register for an account. I post an item for sale.
User contacts me about the item using "contact publisher". When I receive the message, I email the user back.
This person now has the email I use with my account.
He can go to index.php?page=login&action=recover, type in my email address, then hit submit.
Each time he clicks refresh (F5), I get spammed with an email.
Also, my password is changed immediately - without verification required after receiving the email.
So any person who knows I use the classified website can mess with my password.
Improvement suggestions:1. Add captcha to password recovery page. (I also suggest adding this to all non-member pages, like login and contact site owner).
2. Don't change password when the recovery is started. Instead, store the pass_recovery request in db table:
os_t_user_pass_temp:
=> fk_i_user_id
=> dt_date
=> recovered
=> warning
And send an email with verify_password_recovery URL. "Password recovery has been initialized for your account at
http://demo.osclass.org. If this was you, click here to complete password reset."
When the user clicks the link from the email, THEN send the email with the new password.
In the email, add a link: "Cancel this request, it wasn't me! I have my password." Clicking this link will terminate the request and block further password recovery attempts, for this email, for 48 hours. Set => warning = 1.
3. If there is a pending pass_recovery request, don't send a second email. "Password recovery for this account is already in progress. Check your email for instructions."
4. When recovery is completed, set => recovered = 1. But leave it in the db table. If someone attempts recovery again within the next 24 hours: "Your password was recovered recently. Please wait 24 hours to try again."
5. Cron: after 24 hours, delete records where recovered = 1 and warning = 0.
After 48 hours, where recovered = 1 and warning = 1.
