2

I notice that the default ASP.NET Core Identity templates ask for email address after the reset email notification link has been followed (i.e. the "choose a new password" form in the ResetPassword.cshtml view).

Why would having the user re-provide their email address when choosing a new password be more secure?

I get that the token could be sniffed from the email, but if that's the case, then surely the email address could be sniffed at the same time?

Steve S
  • 121
  • 2

1 Answers1

1

Probably just a usability oversight.

I don't think it has any relation to security as you can just open the reset link if you own the email address it is sent to. So, you know the email address. As you pointed, there is no reason to "protect" this email address and you can just fill it by default in the form which will save the user the trouble of typing it.

Gudradain
  • 6,921
  • 2
  • 26
  • 43
  • Thanks for your thoughts. Somewhat curiously, the reset link generated by the templates actually includes the user identifier, so the email isn't required to obtain the user object. – Steve S May 23 '17 at 14:18