Rafael Steil wrote:Well...
If you don't know your username, you will insert the email address to recover the password. And that's where the problem lives.
If you don't know your username, the system will check the provided email and register a securityHash to the record, and then an email will be sent tot he address.
If you have multiple accounts under the same email address, the system will use the first matching record.
A possible solution is to show all usernames related to that email account and ask the user to choose the one he wants to recorver. That should fix the "problem".
On the other hand, coulnd't this be considered some sort of securty flaw then?
Rafael
asking the user to choose which one he wants to recover will break the account/email privacy and that's bad.
My solution would be sending as many mails as account registered for the email.
But I hope I have been clear, the bug is not really there. The bug is that wether you know your account name or not if you have multiple accounts the check fails (the one after receiving the mail).
[originally posted on jforum.net by pala]