Re: Expire Password Reset Link

[Percival Rapha]

I use django.core.signing.Signer...usually i store identifiers and a 
timestamp which will be checked upon a request. You should check it out!

On Wednesday, October 23, 2019 at 3:06:17 PM UTC+2, prabhakaran karthikeyan 
wrote:
>
> If an user requests a password reset link, clicking on it will make the 
> link expirable. Suppose, user requests more than one link mistakenly, just 
> need to expire the first link . The user should get reset form only from 
> recent link. Any help is appreciated. Thank You.
>

-- 
You received this message because you are subscribed to the Google Groups 
"Django users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to django-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/django-users/f9fdc6d7-4489-4232-a9d0-e91036c2d05e%40googlegroups.com.

Re: Expire Password Reset Link

['Maher, Brian' via Django users]

You could do this quite easily by just querying the table storing reset keys 
for objects belonging to the user and expiring them (setting the date to the 
past, or setting an expire bit).

However, IMO it is far better to just generate another one, and have them 
expire automatically after either a set time, or after a successful password 
change/reset. In the case that generating a new link expires existing ones, 
where there is no rate limiting, it would be theoretically possible to prevent 
someone resetting their password by continually requesting new links for their 
account.

Bri

—
Best Regards,
Brian Maher

Senior Research Software Engineer & Systems Administrator
King’s Digital Lab
VWB, 2nd Floor, Room 2.50, Strand Campus

Work: 0207 848 0511
Mobile: 07714 285086
Voip: ‭01702 667471‬

On 23 Oct 2019, at 15:10, Nelson Varela 
mailto:nelson.c.var...@gmail.com>> wrote:

Why give out more than one link? Why not use get_or_create to make link or use 
existing link for that user?



Op woensdag 23 oktober 2019 15:06:17 UTC+2 schreef prabhakaran karthikeyan:
If an user requests a password reset link, clicking on it will make the link 
expirable. Suppose, user requests more than one link mistakenly, just need to 
expire the first link . The user should get reset form only from recent link. 
Any help is appreciated. Thank You.

--
You received this message because you are subscribed to the Google Groups 
"Django users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to 
django-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/django-users/d1bd6182-8583-42ed-b767-36e1c4d1eed8%40googlegroups.com.

-- 
You received this message because you are subscribed to the Google Groups 
"Django users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to django-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/django-users/632F5496-71F7-4C25-AC03-D3DA8CB8BEFC%40kcl.ac.uk.

Re: Expire Password Reset Link

[Nelson Varela]

Why give out more than one link? Why not use get_or_create to make link or 
use existing link for that user?



Op woensdag 23 oktober 2019 15:06:17 UTC+2 schreef prabhakaran karthikeyan:
>
> If an user requests a password reset link, clicking on it will make the 
> link expirable. Suppose, user requests more than one link mistakenly, just 
> need to expire the first link . The user should get reset form only from 
> recent link. Any help is appreciated. Thank You.
>

-- 
You received this message because you are subscribed to the Google Groups 
"Django users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to django-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/django-users/d1bd6182-8583-42ed-b767-36e1c4d1eed8%40googlegroups.com.