Is there anything wrong with this procedure?
- Enter in username and email in a reset form.
- Flask creates a really long random string and stores it into the session under “reset_code”. Session will also have a key for “reset_pw_username”
- Flask sends an email with a link to the path /password_reset/reset_pw_username/reset_code
- That link displays a form where the customer can reset the password if the session reset code matches the session reset_code item. Otherwise it bombs out.
- The session will expire the reset code after an hour.
You must ensure that username and email entered match one of the accounts (or use emails as username in the first place).
From a usability perspective, this won’t work if the browser that displays the link contained in the email is not the same as the one initially used.
Apart from that, you should pay special attention to the randomness (not so much the length) of the reset_code. It should be cryptographically random (i.e.
os.urandom) so that an attacker cannot simply guess it.random.randomand derived methods are not suitable.