>> I have a Forgot my password page where the user enters his/her email. >> How can I prevent someone from entering different email addresses trying >> to guess them or spamming my users? >> >> Is there like an IP-based time expiring strategy you would suggest? > > You might be able to stash the fact that the user requested a reset in the > session, and only allow it to happen once per session. They'd have to quit > their browser or whatever to do it a second time.
Or implement a captcha... I wouldn't do IP-based since you could potentially "block" and entire office or any large group behind a firewall... -- You received this message because you are subscribed to the Google Groups "Ruby on Rails: Talk" group. To post to this group, send email to [email protected]. To unsubscribe from this group, send email to [email protected]. For more options, visit this group at http://groups.google.com/group/rubyonrails-talk?hl=en.
