Email forgotten password has a flaw that needs attention
there is a flaw i have found with the email forgot password feature.
i created my pages with security assist. so i havnt changed the code. there may be a fix for this. if so please let me know.
[RECREATING THE PROBLEM]
when a user request to have their password reset and the email gets sent to their inbox. they click the return URL and IF they input the wrong email into the field. and proceed with the reset and submit. it is successful. they get sent to the login screen to log in.
if you've done the above steps you will find that. the users email they used to reset with will be overrided in the DB with the new email and IF that email already happens to already be in the db that belonged to another user, Then we have just successfully not only changed their account details but that user has just lost their account to login.
I hope u understand me.