Use a random value for the password reset hash to reduce the chances

that it can be guessed by an attacker.
author: Bharat Mediratta <bharat@menalto.com> 2009-05-27 00:50:24 -0700
committer: Bharat Mediratta <bharat@menalto.com> 2009-05-27 00:50:24 -0700
commit: 0a66ddd2b4ea676e033102812232dd06644845e7 (patch)
tree: a8ea48ca4ab96d9502963d6d5ee7260ca60f1b0e
parent: d987af5605afc85c6f7c650d2ad7370c59b0c207 (diff)
1 files changed, 1 insertions, 2 deletions
diff --git a/modules/user/controllers/password.php b/modules/user/controllers/password.php
index 5e3c45fb..8604b7c4 100644
--- a/modules/user/controllers/password.php
+++ b/modules/user/controllers/password.php
@@ -54,8 +54,7 @@ class Password_Controller extends Controller {
     }
 
     if ($valid) {
-      $user->hash = md5("$user->id; $user->name; $user->full_name; " .
-                        "$user->login_count; $user->last_login");
+      $user->hash = md5(rand());
       $user->save();
       $message = new View("reset_password.html");
       $message->url = url::abs_site("password/do_reset?key=$user->hash");
author	Bharat Mediratta <bharat@menalto.com>	2009-05-27 00:50:24 -0700
committer	Bharat Mediratta <bharat@menalto.com>	2009-05-27 00:50:24 -0700
commit	0a66ddd2b4ea676e033102812232dd06644845e7 (patch)
tree	a8ea48ca4ab96d9502963d6d5ee7260ca60f1b0e
parent	d987af5605afc85c6f7c650d2ad7370c59b0c207 (diff)