Developer forum

Forum » Development » Password Recovery link potential security issue

Password Recovery link potential security issue

Barry Geukdjian
Reply

We were told by security advisors that the current password recovery link sent via email by DW is using Referrer-Policy in the header and that this is potentially a security issue.  The link can be easily hacked and the account taken over by others.  Could we disable the Referrer-Policy (how could we do this in Swift/DW 9.15) and what would be the consequence of doing this? Also, is there a way that the password recovery link can be setup in DW so that it has a expiration (say 10 minutes) and also, once used, to auto-expire?


Replies

 
Nicolai Pedersen Dynamicweb Employee
Nicolai Pedersen
Reply

The link in the mail it self does not have a referrer policy, but the website where the link points to have (you DW site). You can control the response headers under settings->web&http (See security headers): https://doc.dynamicweb.com/documentation-9/platform/advanced-settings/web-and-http#3518

What the correct settings are, I do not know - each "Specialist" have different opinions, so you can talk to them how they think it should be.

The recovery link has an expiration already - you can define your own expiration on the login page (Read the lasst grey box in this link):

https://doc.dynamicweb.com/documentation-9/users/user-management/extranet/login-mode#2519

Once the recovery link has been used, the token is reset and cannot be used again. Recovery token has a minimum validity of 1 hour, so you cannot change it to 10 minutes.

This is the default setup for Swift:

 
Barry Geukdjian
Reply

Hi Nicolai,

Thank you for the prompt response.

Is the "Link active for" feature available also for Rapido?  This is for a Rapido customer.

For the security header regarding the referrer policy, would you expect to have issues if we set it to "no-referer"?

 
Nicolai Pedersen Dynamicweb Employee
Nicolai Pedersen
Reply

I cannot remember how Rapido does password reset, but if it uses the "send link to reset page" you can set the expiration.

Currently browsers have strict-origin-when-cross-origin as their defaults, so the advice you have been given related to referer policy might be kind of out of date for 99% of users.

Setting referer policy to no-referer (which is more strict than default browser behavior) will probably break something in the website - could affect add to cart, login redirects and other things that relies on a internal website referer value. A less risky setting would be strict-origin-when-cross-origin or same-origin which will keep referer inside the same hostname, but not send the referer to other hostnames. But as said, that is default browser behavior already so would practically have little or no effect.

BR Nicolai

 

 
Barry Geukdjian
Reply

You are absolutely right! Found the same settings in Rapido under Customer center - it is set by default to 1 hour as well.

Regarding your suggestion for the referrer-policy, I will inform the customer, try and see.

BR Barry

 

You must be logged in to post in the forum