From 0a66ddd2b4ea676e033102812232dd06644845e7 Mon Sep 17 00:00:00 2001
From: Bharat Mediratta <bharat@menalto.com>
Date: Wed, 27 May 2009 00:50:24 -0700
Subject: Use a random value for the password reset hash to reduce the chances
 that it can be guessed by an attacker.

---
 modules/user/controllers/password.php | 3 +--
 1 file changed, 1 insertion(+), 2 deletions(-)

(limited to 'modules/user/controllers')

diff --git a/modules/user/controllers/password.php b/modules/user/controllers/password.php
index 5e3c45fb..8604b7c4 100644
--- a/modules/user/controllers/password.php
+++ b/modules/user/controllers/password.php
@@ -54,8 +54,7 @@ class Password_Controller extends Controller {
     }
 
     if ($valid) {
-      $user->hash = md5("$user->id; $user->name; $user->full_name; " .
-                        "$user->login_count; $user->last_login");
+      $user->hash = md5(rand());
       $user->save();
       $message = new View("reset_password.html");
       $message->url = url::abs_site("password/do_reset?key=$user->hash");
-- 
cgit v1.2.3