#28248: Password resets are allowed for 1 day longer than PASSWORD_RESET_TIMEOUT_DAYS -------------------------------+------------------------------------ Reporter: Nick Zaccardi | Owner: nobody Type: Bug | Status: new Component: contrib.auth | Version: 1.11 Severity: Normal | Resolution: Keywords: | Triage Stage: Accepted Has patch: 1 | Needs documentation: 0 Needs tests: 0 | Patch needs improvement: 0 Easy pickings: 0 | UI/UX: 0 -------------------------------+------------------------------------ Changes (by Luke Plant):
* status: closed => new * resolution: fixed => Comment: I believe this change is incorrect and should be reverted, according to a common sense interpretation of the setting. The code rounds all timestamps to midnight (server time) providing a resolution of only 1 day. So if you generate a links 5 minutes before midnight and try to use it 6 minutes later, that counts as 1 day. With the current code, if you set the timeout setting to 1 day, such a link would be rejected. In other words, new code interprets timeout of 1 day as "up to one day, could be almost zero". The old way interpreted as "at least 1 day, could be up to 2". I think the old way was better, much less likely to be an accidental usability issue. There is virtually no security concern with being too generous here (see my latest post on django-devs on related issue). -- Ticket URL: <https://code.djangoproject.com/ticket/28248#comment:3> Django <https://code.djangoproject.com/> The Web framework for perfectionists with deadlines. -- You received this message because you are subscribed to the Google Groups "Django updates" group. To unsubscribe from this group and stop receiving emails from it, send an email to django-updates+unsubscr...@googlegroups.com. To post to this group, send email to django-updates@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/django-updates/062.2346fe403fe5a8a47f72359b360b9745%40djangoproject.com. For more options, visit https://groups.google.com/d/optout.