Skip to content

Add tip how to create a token without database write. Add tip how to complete a password reset without creating a session at all. #1951

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
sebastiannielsen wants to merge 3 commits into
base: master
Choose a base branch
from
Open

Add tip how to create a token without database write. Add tip how to complete a password reset without creating a session at all. #1951

sebastiannielsen wants to merge 3 commits into from

Conversation

@sebastiannielsen
Copy link

@sebastiannielsen sebastiannielsen commented Jan 7, 2026

You're A Rockstar

Thank you for submitting a Pull Request (PR) to the Cheat Sheet Series.

🚩 If your PR is related to grammar/typo mistakes, please double-check the file for other mistakes in order to fix all the issues in the current cheat sheet.

Please make sure that for your contribution:

  • [N/A] In case of a new Cheat Sheet, you have used the Cheat Sheet template.
  • All the markdown files do not raise any validation policy violation, see the policy.
  • All the markdown files follow these format rules.
  • [N/A] All your assets are stored in the assets folder.
  • [N/A] All the images used are in the PNG format.
  • [N/A] Any references to websites have been formatted as [TEXT](URL)
  • You verified/tested the effectiveness of your contribution (e.g., the defensive code proposed is really an effective remediation? Please verify it works!).
  • The CI build of your PR pass, see the build status here.
  • (Do not know how to run a CI build, please do it for me)

If your PR is related to an issue, please finish your PR text with the following line:

** Not related to issue **

AI Tool Usage Disclosure (required for all PRs)

Please select one of the following options:

  • I have NOT used any AI tool to generate the contents of this PR.
  • I have used AI tools to generate the contents of this PR. I have verified
    the contents and I affirm the results. The LLM used is [llm name and version]
    and the prompt used is [your prompt here]. [Feel free to add more details if needed]

Thank you again for your contribution 😃

@sebastiannielsen
Add method for token generation without write to database, and add ti…
170974e 
…ps on how to complete a password reset without a limited session.

Added suggestion how a password reset mechanism can be constructed to avoid writing to the database (by securely hashing items read from database).

This while still fulfilling the requirements that the tokens expire after a time, become invalid after use, are sufficently long to protect against brute-force.

The invalidation works by making the current password hash (not current password) an input in generating the reset token. Thus a password change, will lead to another password hash, which means the token generated will be different, thus the previous token becomes invalidated.

Another tip added, is that token invalidation should be avoided when the token link is clicked,  This because an increasing number of mail providers have started to scan links by "clicking" them. Some security software also does this, by sending the link to a cloud service.
This also means the token should not be checked when visiting the token, as it opens up a brute force possibility. Only when a valid password reset (where everything else is OK) should the token be checked if its valid.

Thus, the token should ONLY be invalidated or "consumed" when the user actually completes a password reset using the reset link.

Also added the suggestion to avoid creating a session for PIN reset method, by having the end user submit everything in one go, meaning, user enters PIN, username, new password and new password again, on the same page.

Here its also important to avoid invalidating the PIN if the password doesn't adhere to policy. In that case, the validity of PIN should not be checked at all, since that would otherwise create a brute-force vulnerability.
@sebastiannielsen
small spell fix
fe0f9f7 
Small spell fix
szh
szh requested changes Jan 7, 2026
View reviewed changes
Copy link
Collaborator

@szh szh left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The language and formatting is a bit too casual. Can you make it fit the tone of the document better?

@sebastiannielsen
Copy link
Author

sebastiannielsen commented Jan 7, 2026

The lint checker on 109 is a footnote that refers to the * item in the ordered list, so how should this be expressed so the lint checker don't complain?

@szh Could you help me a bit, im native Swedish and not English, even tough im very good at english, it kinda hard to understand what you meant with "causual".
I have enabled edit rights for code owners in the pull request so you should be able to edit it.

@mackowski
Copy link
Collaborator

mackowski commented Jan 8, 2026

The lint checker on 109 is a footnote that refers to the * item in the ordered list, so how should this be expressed so the lint checker don't complain?

I think you should use - like in line 104

2. Send it to the user via SMS or another mechanism.
   - Breaking the PIN up with spaces makes it easier for the user to read and enter.
3. The user then enters the PIN along with their username on the password reset page.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@szh szh szh requested changes

@kwwall kwwall Awaiting requested review from kwwall kwwall is a code owner

@mackowski mackowski Awaiting requested review from mackowski mackowski is a code owner

@jmanico jmanico Awaiting requested review from jmanico jmanico is a code owner

+1 more reviewer

@andrzejsydor andrzejsydor andrzejsydor approved these changes

Reviewers whose approvals may not affect merge requirements

Requested changes must be addressed to merge this pull request.

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

4 participants

@sebastiannielsen @mackowski @szh @andrzejsydor