更改密码后如何使密码重置令牌过期?
How to expire password reset token after password changed?
我在 Django 中设置了密码重置功能。我想知道如何在用于重置密码
后使密码重置URL过期
Token 是在自动销毁的情况下生成的,看看 _make_hash_value on django auth tokens,我复制这里的代码注释:
Hash the user's primary key and some user state that's sure to change
after a password reset to produce a token that invalidated when it's
used:
- The password field will change upon a password reset (even if the same password is chosen, due to password salting).
- The last_login field will usually be updated very shortly after a password reset.
Failing those things,
settings.PASSWORD_RESET_TIMEOUT_DAYS eventually
invalidates the token.
Running this data through salted_hmac() prevents password cracking
attempts using the reset token, provided the secret isn't compromised.
我在 Django 中设置了密码重置功能。我想知道如何在用于重置密码
后使密码重置URL过期Token 是在自动销毁的情况下生成的,看看 _make_hash_value on django auth tokens,我复制这里的代码注释:
Hash the user's primary key and some user state that's sure to change after a password reset to produce a token that invalidated when it's used:
- The password field will change upon a password reset (even if the same password is chosen, due to password salting).
- The last_login field will usually be updated very shortly after a password reset. Failing those things,
settings.PASSWORD_RESET_TIMEOUT_DAYSeventually invalidates the token. Running this data throughsalted_hmac()prevents password cracking attempts using the reset token, provided the secret isn't compromised.