we found that the token generated for the password self reset service is
not automatically removed after use. This can be tested by following the
link provided in the email containing the token more than one time.

This is a security problem since as long as the token is valid (i.e. one
hour) a second person able to capture the mail or the url can change the
password again and than use the account.

Is this a bug or the (only) way sspr is working?



tschloesser's Profile: https://forums.netiq.com/member.php?userid=3232
View this thread: https://forums.netiq.com/showthread.php?t=54035