Prevent user from abusing form

I have a Forgot my password page where the user enters his/her email.
How can I prevent someone from entering different email addresses trying
to guess them or spamming my users?

Is there like an IP-based time expiring strategy you would suggest?

Maybe you could use a captcha.

Best Regards,

Everaldo

You might be able to stash the fact that the user requested a reset in the session, and only allow it to happen once per session. They'd have to quit their browser or whatever to do it a second time.

Walter

I have a Forgot my password page where the user enters his/her email.
How can I prevent someone from entering different email addresses trying
to guess them or spamming my users?

Is there like an IP-based time expiring strategy you would suggest?

You might be able to stash the fact that the user requested a reset in the session, and only allow it to happen once per session. They'd have to quit their browser or whatever to do it a second time.

Or implement a captcha...

I wouldn't do IP-based since you could potentially "block" and entire office or any large group behind a firewall...

I'm not sure what the problem is -- if someone enters an invalid email
address, ignore it. If it is valid, send the email. If your message to the
user is noncommittal -- "If that email is in our database, we'll ...." then
no information re' validity is exposed.

And if they do enter a valid email that's not their own -- well, what of
it? Seems pretty pointless to me. And I get those kind of messages
occasionally, sure, but who cares? Or is there some aspect of this
that I'm missing?

Hassan Schroeder wrote in post #1015184:

I'm not sure what the problem is -- if someone enters an invalid email
address, ignore it. If it is valid, send the email. If your message to
the
user is noncommittal -- "If that email is in our database, we'll ...."
then
no information re' validity is exposed.

And if they do enter a valid email that's not their own -- well, what of
it? Seems pretty pointless to me. And I get those kind of messages
occasionally, sure, but who cares? Or is there some aspect of this
that I'm missing?

Agreed, I mean what's to stop anyone from opening up their favorite
email client, start typing in random email addresses in the To field and
sending it off? It would be silly for your application to send emails to
any random address that's not in your database.

Besides all that, if we can ever get past every piddly web site creating
their own username/password combinations and start using centralized
user authentication (Twitter, Facebook, OpenID, etc.) this problem of
forgetting passwords would go away.

Nothing complicated. It's just to stop a bot or anybody using the login
or forgot password form repeatedly.

@robert4723
Interestind read:
http://productblog.37signals.com/products/2011/01/well-be-retiring-our-support-of-openid-on-may-1.html