Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

setting expiration time to django password reset token

Tags:

I am using the inbuilt password reset functionality of Django which emails the user the password reset link. Is there an option in Django to set an expiration time to the link suppose 6 hours after which the link become invalid and user will have to request again for password recovery.

like image 395
Sar009 Avatar asked Jan 16 '14 07:01

Sar009


People also ask

How long is a password reset token valid?

A good password reset link should last for 1 hour at most, this gives enough time for users with different browsers or devices to be able to access it. However, there are some instances when it may be beneficial to have a link that lasts longer or shorter than an hour.


2 Answers

If you're using Django's built-in password reset functionality, you can use the setting PASSWORD_RESET_TIMEOUT_DAYS.

Example: if a user uses a password reset link that was generated 2 days ago and you have PASSWORD_RESET_TIMEOUT_DAYS=1 in your project's settings, the link will be invalid and the user cannot continue.

More info here: https://docs.djangoproject.com/en/3.2/ref/settings/#password-reset-timeout-days

like image 71
Ed Patrick Tan Avatar answered Sep 28 '22 04:09

Ed Patrick Tan


Django includes functionality to expire the token in less than 1 day in Django 3.1 or newer. Use the setting PASSWORD_RESET_TIMEOUT which takes number of seconds after which token will expire.

PASSWORD_RESET_TIMEOUT = 259200 # 3 days, in seconds

Documentation: https://docs.djangoproject.com/en/stable/ref/settings/#password-reset-timeout

like image 44
Shivam Shahi Avatar answered Sep 28 '22 03:09

Shivam Shahi