#28248: Password resets are allowed for 1 day longer than
PASSWORD_RESET_TIMEOUT_DAYS
---------------------------------+------------------------------------
Reporter: Nick Zaccardi | Owner: nobody
Type: Bug | Status: closed
Component: contrib.auth | Version: 2.0
Severity: Release blocker | Resolution: invalid
Keywords: | Triage Stage: Accepted
Has patch: 1 | Needs documentation: 0
Needs tests: 0 | Patch needs improvement: 0
Easy pickings: 0 | UI/UX: 0
---------------------------------+------------------------------------
Comment (by Luke Plant):
Replying to [comment:10 Nick Zaccardi]:
> I do want to explain why this doesn't meet the 1% of use cases. When I
originally reported this I was working on a password reset feature in a
different app (a large corporate financial application) which has very
specific policies on passwords, password resets, and the validity time of
both. From a contractual perspective (regardless of user experience) >24hr
link would be a break in policy or worse a violation of contractual
obligation to implement a <24hr link. For most up to 2 days is fine, for
some, regardless of the real-life implications of the policy, it is a big
deal.
Thanks for filling in these background details. It is unfortunate that
sometimes these policies exist which actually don't apply (for reasons
that I described here - https://groups.google.com/d/msg/django-
developers/65iOQunvkPY/pP5mF-44AQAJ )
However, your experience is still a significant data point in favour of
the feature being asked for in that thread (
https://groups.google.com/forum/#!topic/django-developers/65iOQunvkPY ),
namely, supporting a timeout of less than one day. Please do feel free to
jump into that thread and add your 2 cents - we have to be pragmatic about
complying with these kinds of regulations.
> All that to say, why does this get rounded in the first place? why not
just use:
It is mainly rounded to make the timestamp shorter (we only need to store
a number of days, not seconds), which has an impact on the length of URL
generated. That may sound like a dubious argument, but that was the
initial rationale I believe! With some email clients that like to truncate
URLs etc., it can make a difference. Maybe things are better these days...
--
Ticket URL: <https://code.djangoproject.com/ticket/28248#comment:11>
Django <https://code.djangoproject.com/>
The Web framework for perfectionists with deadlines.
--
You received this message because you are subscribed to the Google Groups
"Django updates" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to django-updates+unsubscr...@googlegroups.com.
To post to this group, send email to django-updates@googlegroups.com.
To view this discussion on the web visit
https://groups.google.com/d/msgid/django-updates/062.f26486598b6ef87b867af045486a9c7d%40djangoproject.com.
For more options, visit https://groups.google.com/d/optout.
