Add security information (IP and browser) to the password reset email #37808
Conversation
nickvergessen
requested review from
come-nc and
szaimen
and removed request for
MorrisJobke
core/Controller/LostController.php
Outdated
| $platform = $this->l10n->t('unknown'); | ||
| } | ||
| $emailTemplate->addBodyText( | ||
| htmlspecialchars($this->l10n->t('Security notice: This password reset was requested from following IP address and browser: %1$s (%2$s).', [ $this->request->getRemoteAddress(), $platform ])) |
There was a problem hiding this comment.
I would rephrase and reorder this information
Password reset
A password resset was requested from %1$s (IP address) and using %2$s.
If you have not requested the password reset, then ignore this email.
Otherwise, click the following link to reset your password.
There was a problem hiding this comment.
I have added that additional paragraph because of this comment: #4345 (comment)
There was a problem hiding this comment.
So I checked all reset password emails in my inbox and most of them did not have information like this.
But if they did, it was the first information given.
cc @jancborchardt for your 6y old comment
There was a problem hiding this comment.
As per GDPR officer we can not do this:
#37808 (comment)
Signed-off-by: Ferdinand Thiessen <[email protected]>
|
Stupid question maybe, but is there no data privacy implications here? |
|
It is. Server is processing ip address and thus user must be informed prior to it. As far as I know we do not ship by default such an information, so I tend to not include this at all. |
skjnldsv
added
2. developing
|
As per GDPR officer we can not do this: |
|
Would it make sense to only include the browser? |
Summary
Add some metadata like the IP address and the browser type to the password reset mail for fraud detection.
Screenshots
Checklist