Make password reset email link same browser restriction configurable

When requesting a password reset in Create, the link in the email that is sent only works if it is opened in the same browser. Mine and I think a lot of other people’s general workflow when requesting password resets from a website is to request the reset using my desktop/laptop, see the email pop up on my phone, reset my password from my phone and then log back in using my desktop/laptop.

Can we please make the same browser session requirement a configurable option that can be switched off if the customer wishes.

2 Likes

Hi Sean,

Since both of you (!) and others are requesting this we will definitely look to make this optional.

We have had a quick look and unfortunately it is not going to be a quick change though.

Locking a full authentication flow to a single session in one browser on one device is a really nice security feature, so it would remain on by default after implementing this.

Paul