#32130: 3.0 -> 3.1 password token incompatibility. ------------------------------------------+------------------------ Reporter: Gordon Wrigley | Owner: nobody Type: Uncategorized | Status: new Component: Uncategorized | Version: 3.1 Severity: Normal | Keywords: Triage Stage: Unreviewed | Has patch: 0 Needs documentation: 0 | Needs tests: 0 Patch needs improvement: 0 | Easy pickings: 0 UI/UX: 0 | ------------------------------------------+------------------------ As noted here https://docs.djangoproject.com/en/3.1/releases/3.1/#django- contrib-auth the hashing for password reset tokens has changed between 3.0 and 3.1 and work has been done to ensure existing tokens will still work (at least until 4.0).
However the encoding of the token creation time has also changed. Specifically from days since 1/1/01 to seconds since 1/1/01. And it appears no work has been done to support tokens with the older values. So a token generated on Oct 1, 2020 will come through as 7213 days which will then get interpreted as 7213 seconds, aka 2am Jan 1, 2001. So while exiting tokens in the wild will pass crypto validation they will all show as expired if your PASSWORD_RESET_TIMEOUT is less than ~20 years. The code base I'm working on uses these tokens (perhaps unwisely) in some email links that are expected to have a 3 month lifetime and an upgrade from 3.0 to 3.1 looks likely to render all the tokens in the wild expired which is suboptimal. -- Ticket URL: <https://code.djangoproject.com/ticket/32130> Django <https://code.djangoproject.com/> The Web framework for perfectionists with deadlines. -- You received this message because you are subscribed to the Google Groups "Django updates" group. To unsubscribe from this group and stop receiving emails from it, send an email to django-updates+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/django-updates/050.8e71621c8b51696cd2a97ef36ae97bf5%40djangoproject.com.