• This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn more.

Fixed Time limit password reset


Active member
An unused password reset code can be used at any time so long as another password reset isn't requested. Sorry if a time limit is already implemented and I missed it.

insert into xf_user_confirmation (`user_id`, `confirmation_type`, `confirmation_key`, `confirmation_date`) values('3', 'password', 'test', unix_timestamp() - (60*60*24*30*3));
insert into xf_user_confirmation (`user_id`, `confirmation_type`, `confirmation_key`, `confirmation_date`) values('4', 'password', 'test', 0);

Doing something like this:
    public function validateUserConfirmationRecord($key, array $confirmation)
        if (XenForo_Application::$time - $confirmation['confirmation_date'] >= 60*60*24*7) // 7 days
            return false;

        return ($confirmation['confirmation_key'] === $key);
Or adding a daily cron to prune old password resets would solve it.


XenForo moderator
Staff member
I remember this being commented on before... and I swear they were set with an expiry.

Let me poke $Mike...