To be honest, I'm quite surprised that the password reset feature does not use `TimestampSigner` which already supports timedeltas explicitly.
Is the Signing backend overkill for this? Probably yes. But I think using the signing backend still makes sense since it's already there. So if one were to move from day-based timeouts to second/timedelta based timeouts, one might as well use the TimestampSigner. On Thursday, September 21, 2017 at 10:22:20 AM UTC+2, Tom Forbes wrote: > > I think we shouldn't shoe-horn a timedelta into the existing setting, so > my vote is with the second option, but I think a timedelta is much more > readable than just an integer. > > Also, the existing 3 day timeout for password links is quite surprising > from a security point of view. The consultants I work with would flag up a > token that lasts longer than 12 hours as an issue during a pentest. > > IMO a new, far shorter default should be added to this setting. > > On 21 Sep 2017 03:56, "Zhiqiang Liu" <zachl...@gmail.com <javascript:>> > wrote: > > I need general consensus on how to proceed with supporting password expire > time to be under a day. Currently it is not possible because we use > PASSWORD_RESET_TIMEOUT_DAYS. > > In ticket 28622 <https://code.djangoproject.com/ticket/28622> we have two > options. > > One is to continue to use the same setting PASSWORD_RESET_TIMEOUT_DAYS, > but change the value to non-integer (such as timedelta) so we can send > hours, minutes, etc to it. > > The other one is to create a new setting like PASSWORD_RESET_TIMEOUT which > takes seconds.To support backward compatibility, I think we should keep > PASSWORD_RESET_TIMEOUT_DAYS and its default value of 3. Only use > PASSWORD_RESET_TIMEOUT when provided. > > I'm unsure which one is better, so inputs are welcome. > > -- > You received this message because you are subscribed to the Google Groups > "Django developers (Contributions to Django itself)" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to django-develop...@googlegroups.com <javascript:>. > To post to this group, send email to django-d...@googlegroups.com > <javascript:>. > Visit this group at https://groups.google.com/group/django-developers. > To view this discussion on the web visit > https://groups.google.com/d/msgid/django-developers/c8e96008-eb95-4924-8e5e-9b02d6b90c99%40googlegroups.com > > <https://groups.google.com/d/msgid/django-developers/c8e96008-eb95-4924-8e5e-9b02d6b90c99%40googlegroups.com?utm_medium=email&utm_source=footer> > . > For more options, visit https://groups.google.com/d/optout. > > > -- You received this message because you are subscribed to the Google Groups "Django developers (Contributions to Django itself)" group. To unsubscribe from this group and stop receiving emails from it, send an email to django-developers+unsubscr...@googlegroups.com. To post to this group, send email to django-developers@googlegroups.com. Visit this group at https://groups.google.com/group/django-developers. To view this discussion on the web visit https://groups.google.com/d/msgid/django-developers/ec9588a0-5193-4b11-8087-0d00441e8275%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.
