1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Fixed Time limit password reset

Discussion in 'Resolved Bug Reports' started by Kent, Mar 15, 2013.

  1. Kent

    Kent Active Member

    An unused password reset code can be used at any time so long as another password reset isn't requested. Sorry if a time limit is already implemented and I missed it.

    insert into xf_user_confirmation (`user_id`, `confirmation_type`, `confirmation_key`, `confirmation_date`) values('3', 'password', 'test', unix_timestamp() - (60*60*24*30*3));
    insert into xf_user_confirmation (`user_id`, `confirmation_type`, `confirmation_key`, `confirmation_date`) values('4', 'password', 'test', 0);

    Doing something like this:
        public function validateUserConfirmationRecord($key, array $confirmation)
            if (
    XenForo_Application::$time $confirmation['confirmation_date'] >= 60*60*24*7// 7 days

            return (
    $confirmation['confirmation_key'] === $key);
    Or adding a daily cron to prune old password resets would solve it.
    oman and Slavik like this.
  2. Slavik

    Slavik XenForo Moderator Staff Member

    I remember this being commented on before... and I swear they were set with an expiry.

    Let me poke $Mike...
  3. Mike

    Mike XenForo Developer Staff Member

    Yeah, I thought they had one too, but apparently not.

    It's now cleaned up hourly (after 3 days).
    Eagle, Biker and Chris D like this.

Share This Page