Expire Password Reset Link

[prabhakaran karthikeyan]

If an user requests a password reset link, clicking on it will make the link expirable. Suppose, user requests more than one link mistakenly, just need to expire the first link . The user should get reset form only from recent link. Any help is appreciated. Thank You.

[Nelson Varela]

Why give out more than one link? Why not use get_or_create to make link or use existing link for that user?

Op woensdag 23 oktober 2019 15:06:17 UTC+2 schreef prabhakaran karthikeyan:

[Maher, Brian]

You could do this quite easily by just querying the table storing reset keys for objects belonging to the user and expiring them (setting the date to the past, or setting an expire bit). 

However, IMO it is far better to just generate another one, and have them expire automatically after either a set time, or after a successful password change/reset. In the case that generating a new link expires existing ones, where there is no rate limiting, it would be theoretically possible to prevent someone resetting their password by continually requesting new links for their account.

Bri

— 

Best Regards,

Brian Maher

Senior Research Software Engineer & Systems Administrator

King’s Digital Lab

VWB, 2nd Floor, Room 2.50, Strand Campus

Work: 0207 848 0511

Mobile: 07714 285086

Voip: ‭01702 667471‬

--
You received this message because you are subscribed to the Google Groups "Django users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to django-users...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/django-users/d1bd6182-8583-42ed-b767-36e1c4d1eed8%40googlegroups.com.

[Percival Rapha]

I use django.core.signing.Signer...usually i store identifiers and a timestamp which will be checked upon a request. You should check it out!