p15693087
/
django
1
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity

Refs #28622 -- Clarified security implications of PASSWORD_RESET_TIMEOUT.

This commit is contained in:
Luke Plant 2019-09-20 13:07:34 +02:00 committed by Mariusz Felisiak
parent 226ebb1729
commit 45304e444e
1 changed files with 10 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

10
docs/ref/settings.txt
View File

@ -2885,6 +2885,16 @@ The minimum number of seconds a password reset link is valid for.
Used by the :class:`~django.contrib.auth.views.PasswordResetConfirmView`. Used by the :class:`~django.contrib.auth.views.PasswordResetConfirmView`.
.. note::
Reducing the value of this timeout doesn't make difference to the ability of
an attacker to brute-force a password reset token. Tokens are designed to be
safe from brute-forcing without any timeout.
This timeout exists to protect against some unlikely attack scenarios, such
as someone gaining access to email archives that may contain old, unused
password reset tokens.
.. setting:: PASSWORD_RESET_TIMEOUT_DAYS .. setting:: PASSWORD_RESET_TIMEOUT_DAYS
``PASSWORD_RESET_TIMEOUT_DAYS`` ``PASSWORD_RESET_TIMEOUT_DAYS``