Auth0 Home Blog Docs

Remove email address in password reset url querystring

password-reset
#1

Hi

I was wondering if it is possible to prevent a user’s email address being sent in the querystring in the url where the user gets redirected to, after a success password reset. eg:

/password-reset/index.html?email=an-email-address@email.com&success=true&message=You can now login to the application with the new password.

A security review highlighted this as a (minor) issue, where the email address would show up in google analytics, web server logs and referrer headers

Thanks,

Vince

#3

Hey there @streetsupport, I’m working to find you an answer for this. I will keep you posted in what I find. Thanks!

1 Like
#4

After confirming with our support team @streetsupport it isn’t currently possible to prevent an end user’s email address from being sent as a part of the querystring in the url when they get redirected. However, if you like I can submit this as a feature request at Auth0.com/feedback. Thanks!

1 Like
closed #5

This topic was automatically closed 15 days after the last reply. New replies are no longer allowed.