#28248: Password resets are allowed for 1 day longer than
PASSWORD_RESET_TIMEOUT_DAYS
-------------------------------+------------------------------------
Reporter: Nick Zaccardi | Owner: nobody
Type: Bug | Status: new
Component: contrib.auth | Version: 1.11
Severity: Normal | Resolution:
Keywords: | Triage Stage: Accepted
Has patch: 1 | Needs documentation: 0
Needs tests: 0 | Patch needs improvement: 0
Easy pickings: 0 | UI/UX: 0
-------------------------------+------------------------------------
Changes (by Luke Plant):
* status: closed => new
* resolution: fixed =>
Comment:
I believe this change is incorrect and should be reverted, according to a
common sense interpretation of the setting.
The code rounds all timestamps to midnight (server time) providing a
resolution of only 1 day. So if you generate a links 5 minutes before
midnight and try to use it 6 minutes later, that counts as 1 day. With the
current code, if you set the timeout setting to 1 day, such a link would
be rejected.
In other words, new code interprets timeout of 1 day as "up to one day,
could be almost zero". The old way interpreted as "at least 1 day, could
be up to 2". I think the old way was better, much less likely to be an
accidental usability issue. There is virtually no security concern with
being too generous here (see my latest post on django-devs on related
issue).
--
Ticket URL: <https://code.djangoproject.com/ticket/28248#comment:3>
Django <https://code.djangoproject.com/>
The Web framework for perfectionists with deadlines.
--
You received this message because you are subscribed to the Google Groups
"Django updates" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to django-updates+unsubscr...@googlegroups.com.
To post to this group, send email to django-updates@googlegroups.com.
To view this discussion on the web visit
https://groups.google.com/d/msgid/django-updates/062.2346fe403fe5a8a47f72359b360b9745%40djangoproject.com.
For more options, visit https://groups.google.com/d/optout.
