Menu
Would there be any big issues if they never expire?
Somebody forgot his password and requests to reset his password, an email with the password reset link is sent to him.
He then suddenly remembers his password and so he simply ignores the password reset email. But after a few days, he forgot again. Since he already has a password reset email in his mailbox, he simply clicks on that link to go back to the website to reset his password.
This seems ok, so why should we make account activation/password reset links expire after some time?
979
Email Security software like Mimecast will scan your email for links that could be harmful to your computer. When a one time use URL is used in the case of many password reset communications, the URL becomes expired when the security software scans the email.
For security reasons the activation link will expire after 48 hours. If this occurs, you can re-register, and then activate your account using the activation link in the new email.
Password reset links expire after 24 hours from when it's triggered. Email change verification links expire after 72 hours from the time of change. Note: The password reset link expiration is different from the password expiration set in Password Policies.
By default, password reset tokens expire after one hour. You may change this via the password reset expire option in your config/auth. php file. The default expire is 60 minutes.
What if their email account was compromised. The attacker then sees all these "password reset" links and clicks through them further compromising more accounts. Among them your service which may use Real Money or Credit Card information.
166
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
