News:

Want to get involved in developing SMF, then why not lend a hand on our github!

Main Menu

Validation codes expires?

Started by Jotade29, November 28, 2022, 09:19:25 PM

Previous topic - Next topic

Jotade29

Hello, I would like to know if, in the 2.0.19 branch, there is a function that makes password reset codes expire (members -> validation_codes), if exist, pls, said me where. Thank you very much

Kindred

No... there is not. And studies have shown that requiring password resets results in LESS secure passwords
Слaва
Украинi

Please do not PM, IM or Email me with support questions.  You will get better and faster responses in the support boards.  Thank you.

"Loki is not evil, although he is certainly not a force for good. Loki is... complicated."

Jotade29

Quote from: Kindred on November 28, 2022, 10:41:26 PMNo... there is not. And studies have shown that requiring password resets results in LESS secure passwords

Hi Kindred.

If you say that, I believe it, but you have to give users the option to reset passwords. Then I will have to create a maintenance that executes the delete of the data of that column, or makes a trigger that does it every x time.

Thank you very much  :)

Kindred

the option to change your password is already part of SMF... 
the option to ask for a password reset because you forgot your password is already part of SMF.

as I said, FORCING users to change a password results in passwords like myPassword123! being changed to myPassword456! and so on...

Instead, requiring a secure password to begin with and allowing the user to keep that password means that you are more likely to get something like HVVK78ecw7dsds0^&%

Deleting the data in the password column is ****NOT**** the way to go about doing what you are asking, however.
You would have to write a script that tracks time and forces the user to enter a new password at the next login after time > x


Слaва
Украинi

Please do not PM, IM or Email me with support questions.  You will get better and faster responses in the support boards.  Thank you.

"Loki is not evil, although he is certainly not a force for good. Loki is... complicated."

Jotade29

Quote from: Kindred on Yesterday at 01:27:08 PMthe option to change your password is already part of SMF... 
the option to ask for a password reset because you forgot your password is already part of SMF.

as I said, FORCING users to change a password results in passwords like myPassword123! being changed to myPassword456! and so on...

Instead, requiring a secure password to begin with and allowing the user to keep that password means that you are more likely to get something like HVVK78ecw7dsds0^&%

Deleting the data in the password column is ****NOT**** the way to go about doing what you are asking, however.
You would have to write a script that tracks time and forces the user to enter a new password at the next login after time > x




No, no, I think I have not explained myself well. I mean the password reset code, not the password. The token that allows you to reset your password

Kindred

the validation_code field being blank doesn't mean anything....
do not reset password_salt - ever



wait...   are you afraid of someone else re-using the link with the activation/validation code?
the data is checked -- if someone uses a code AND the account is already active, then SMF ignores the activation and triggers an error (already activated). The validation code only works if the account is in an INACTIVE state. (is_activated = 0 (not completed registration/activation) or is_activated = 2 (user has changed emails)
Слaва
Украинi

Please do not PM, IM or Email me with support questions.  You will get better and faster responses in the support boards.  Thank you.

"Loki is not evil, although he is certainly not a force for good. Loki is... complicated."

Jotade29

Quote from: Kindred on Yesterday at 02:10:13 PMthe validation_code field being blank doesn't mean anything....
do not reset password_salt - ever



wait...   are you afraid of someone else re-using the link with the activation/validation code?
the data is checked -- if someone uses a code AND the account is already active, then SMF ignores the activation and triggers an error (already activated). The validation code only works if the account is in an INACTIVE state. (is_activated = 0 (not completed registration/activation) or is_activated = 2 (user has changed emails)


No. The validation_code in members column is used, among other things I imagine, for when the password is changed, that token is created. What I want is that this token, when the forgot your password function is requested, expires, for example, after 24 hours.

Would it be correct to create an event in the database that updates that column every 24 hours and leaves them ""?

Kindred

why?   

Let's take a step back...
What exactly are you trying to accomplish as an end result?
Слaва
Украинi

Please do not PM, IM or Email me with support questions.  You will get better and faster responses in the support boards.  Thank you.

"Loki is not evil, although he is certainly not a force for good. Loki is... complicated."

Jotade29

Quote from: Kindred on Yesterday at 04:41:45 PMwhy?   

Let's take a step back...
What exactly are you trying to accomplish as an end result?

Thanks u support, Kin

What I'm trying to do is have the validation code field cleared every 24 hours. It makes no sense to request a password change and not follow the link with the code.

Diego Andrés

Seems unnecessary if only the user has access to that code.
If they haven't confirmed the change after some time, you could manually do it from the admin.

SMF Tricks - Free & Premium Responsive Themes for SMF.

Advertisement: