I still think seconds are the way to go, but maybe the documentation could give a clue that timedelta().seconds can be used for readability PASSWORD_RESET_TIMEOUT = datetime.timedelta(hours=6, minutes=30).seconds
Dylan On Thu, Sep 21, 2017 at 6:14 AM, Zhiqiang Liu <zachliu...@gmail.com> wrote: > Yeah I don't think float number of days is a good choice because the > calculation will be weird with precision issues. > > I think it makes sense to use PASSWORD_RESET_TIMEOUT. For timedelta vs. > integer seconds. Timedelta has the benefit of readability, but integer has > the benefit of simplicity. I think in SETTINGS everything should be as > simple as possible, so I think integer seconds is a better choice here. And > it is used in most applications too. > > > On Thursday, September 21, 2017 at 8:56:36 AM UTC-4, charettes wrote: >> >> That's what I proposed on the ticket but I feel like it felt odd to me, >> the setting name does't suggest this is possible and it might be hard to >> achieve exact second precious because of float rounding? >> >> In my opinion introducing PASSWORD_RESET_TIMEOUT with timedelta support >> would be the best option. >> >> Simon >> >> Le jeudi 21 septembre 2017 05:26:23 UTC-4, Adam Johnson a écrit : >>> >>> Why not just keep PASSWORD_RESET_TIMEOUT_DAYS and allow floats? Then >>> you can just do 1/24 for an hour. >>> >>> On 21 September 2017 at 09:50, Eddy C <coupo...@chicheng.me> wrote: >>> >>>> I think Minute, with default value 30 or 60, is the best unit for this >>>> setting. >>>> >>>> 3 minutes (even 1) is short enough for edge case and 720 (12 hours) >>>> also looks good. >>>> >>>> On Thursday, September 21, 2017 at 6:22:20 PM UTC+10, Tom Forbes wrote: >>>>> >>>>> I think we shouldn't shoe-horn a timedelta into the existing setting, >>>>> so my vote is with the second option, but I think a timedelta is much more >>>>> readable than just an integer. >>>>> >>>>> Also, the existing 3 day timeout for password links is quite >>>>> surprising from a security point of view. The consultants I work with >>>>> would >>>>> flag up a token that lasts longer than 12 hours as an issue during a >>>>> pentest. >>>>> >>>>> IMO a new, far shorter default should be added to this setting. >>>>> >>>>> On 21 Sep 2017 03:56, "Zhiqiang Liu" <zachl...@gmail.com> wrote: >>>>> >>>>> I need general consensus on how to proceed with supporting password >>>>> expire time to be under a day. Currently it is not possible because we use >>>>> PASSWORD_RESET_TIMEOUT_DAYS. >>>>> >>>>> In ticket 28622 <https://code.djangoproject.com/ticket/28622> we have >>>>> two options. >>>>> >>>>> One is to continue to use the same setting >>>>> PASSWORD_RESET_TIMEOUT_DAYS, but change the value to non-integer (such as >>>>> timedelta) so we can send hours, minutes, etc to it. >>>>> >>>>> The other one is to create a new setting like PASSWORD_RESET_TIMEOUT >>>>> which takes seconds.To support backward compatibility, I think we should >>>>> keep PASSWORD_RESET_TIMEOUT_DAYS and its default value of 3. Only use >>>>> PASSWORD_RESET_TIMEOUT when provided. >>>>> >>>>> I'm unsure which one is better, so inputs are welcome. >>>>> >>>>> -- >>>>> You received this message because you are subscribed to the Google >>>>> Groups "Django developers (Contributions to Django itself)" group. >>>>> To unsubscribe from this group and stop receiving emails from it, send >>>>> an email to django-develop...@googlegroups.com. >>>>> To post to this group, send email to django-d...@googlegroups.com. >>>>> Visit this group at https://groups.google.com/group/django-developers. >>>>> To view this discussion on the web visit >>>>> https://groups.google.com/d/msgid/django-developers/c8e96008 >>>>> -eb95-4924-8e5e-9b02d6b90c99%40googlegroups.com >>>>> <https://groups.google.com/d/msgid/django-developers/c8e96008-eb95-4924-8e5e-9b02d6b90c99%40googlegroups.com?utm_medium=email&utm_source=footer> >>>>> . >>>>> For more options, visit https://groups.google.com/d/optout. >>>>> >>>>> >>>>> -- >>>> You received this message because you are subscribed to the Google >>>> Groups "Django developers (Contributions to Django itself)" group. >>>> To unsubscribe from this group and stop receiving emails from it, send >>>> an email to django-develop...@googlegroups.com. >>>> To post to this group, send email to django-d...@googlegroups.com. >>>> Visit this group at https://groups.google.com/group/django-developers. >>>> To view this discussion on the web visit https://groups.google.com/d/ms >>>> gid/django-developers/6d0d4251-64bc-40a0-b191-9cf3dfe8c91b% >>>> 40googlegroups.com >>>> <https://groups.google.com/d/msgid/django-developers/6d0d4251-64bc-40a0-b191-9cf3dfe8c91b%40googlegroups.com?utm_medium=email&utm_source=footer> >>>> . >>>> >>>> For more options, visit https://groups.google.com/d/optout. >>>> >>> >>> >>> >>> -- >>> Adam >>> >> -- > You received this message because you are subscribed to the Google Groups > "Django developers (Contributions to Django itself)" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to django-developers+unsubscr...@googlegroups.com. > To post to this group, send email to django-developers@googlegroups.com. > Visit this group at https://groups.google.com/group/django-developers. > To view this discussion on the web visit https://groups.google.com/d/ > msgid/django-developers/2857fb9f-4959-4d08-91ca- > 1287fd3d8246%40googlegroups.com > <https://groups.google.com/d/msgid/django-developers/2857fb9f-4959-4d08-91ca-1287fd3d8246%40googlegroups.com?utm_medium=email&utm_source=footer> > . > > For more options, visit https://groups.google.com/d/optout. > -- You received this message because you are subscribed to the Google Groups "Django developers (Contributions to Django itself)" group. To unsubscribe from this group and stop receiving emails from it, send an email to django-developers+unsubscr...@googlegroups.com. To post to this group, send email to django-developers@googlegroups.com. Visit this group at https://groups.google.com/group/django-developers. To view this discussion on the web visit https://groups.google.com/d/msgid/django-developers/CAHtg44CM3qVh%3DSJCqM%3DJB1_UL%2BZo3kTEPZjEJmOtqP%2BK1MfDVg%40mail.gmail.com. For more options, visit https://groups.google.com/d/optout.
