Remove email address in password reset url querystring

streetsupport · January 9, 2019, 11:11am

Hi

I was wondering if it is possible to prevent a user’s email address being sent in the querystring in the url where the user gets redirected to, after a success password reset. eg:

/password-reset/index.html?email=an-email-address@email.com&success=true&message=You can now login to the application with the new password.

A security review highlighted this as a (minor) issue, where the email address would show up in google analytics, web server logs and referrer headers

Thanks,

Vince

James.Morrison · January 10, 2019, 3:49pm

Hey there @streetsupport, I’m working to find you an answer for this. I will keep you posted in what I find. Thanks!

James.Morrison · January 14, 2019, 8:16pm

After confirming with our support team @streetsupport it isn’t currently possible to prevent an end user’s email address from being sent as a part of the querystring in the url when they get redirected. However, if you like I can submit this as a feature request at Auth0: Secure access for everyone. But not just anyone.. Thanks!

Topic		Replies	Views
Remove e-mail address in password reset url querystring Get Help password-reset , change-password , reset-password	2	3283	November 12, 2019
Don't send along email as plain text in query paramater Get Help	4	4551	January 21, 2019
Change password email: query strings Get Help change-password , email	2	1585	October 5, 2022
Change redirect-back-to-app url parameters? Get Help url , redirect , config	5	5303	March 2, 2018
Changing redirect URL to a POST rather than a GET with PII in the url Get Help password-reset , redirect-rules	6	4737	June 18, 2020

Remove email address in password reset url querystring

Related topics