How to add an expiration time to a reset password link?
Use Event Scheduler. It will disable expired tokens automatically.
CREATE EVENT disable_old_pw_reset_token
ON SCHEDULE EVERY 1 MINUTE
DO
UPDATE var SET token = NULL WHERE token_expire < CURRENT_TIMESTAMP;
I assume that token_expire
stores expiration datetime value.
The presence of the index by token_expire
(by single column or as a prefix) is reasonable.
Do not forget to enable Event Scheduler.
Password reset token storage - should values be hashed?
Yes, you should hash password reset tokens because
- reset tokens expire and not every user has an active one
- users notice when their passwords are changed, but not when their
passwords are cracked, and can thus take steps to limit the damage
(change password and other sensitive data, etc).
Additionally, as users reuse passwords, an attacker can try a cracked passwords for other accounts, such as the users email, thus increasing the damage.
Key points:
If your token has enough entropy, lets say 20 random characters 0-9 a-z A-Z, then you can calculate an unsalted fast hash (e.g. SHA-256 or SHA-512) and store it. This is safe, because it is not possible to successfully brute-force such strong "passwords". Salting is done, because passwords choosen by people are often relatively weak, because they have to be remembered.
If a "password reset token" allows someone to reset a password with other clear text information, then it's effectively the same as a password and Should be treated as such.
Make them expire of a few minutes or hours, and treat them like secrets, because they are.
I hope this will help
Password-recovery expire time in PHP
Just save the expiration time with the reset token in the database, and when the time has expired just don't accept the reset token anymore. This is by far the easiest and safest method.
Another way would be creating a reset hash, appending the time, and encrypting that with a secret key. Decrypt and check the timestamp when you check the hash. If the key leaked, however, this method becomes as weak as just putting it in plain text in the URL.
Laravel Change Password Reset Token duration for specific tokens
The expiration duration is defined in auth.php
. You can simply define another configuration with a different expiration time:
'passwords' => [
'users' => [
'provider' => 'users',
'table' => 'password_resets',
'expire' => 60,
],
'users_welcome' => [
'provider' => 'users',
'table' => 'password_resets',
'expire' => 120,
],
],
And when you're generating the mail you can use that new broker:
\Illuminate\Support\Facades\Password::broker('users_welcome')->sendResetLink($user->email);
To check whether the token is expired, Laravel uses the created_at
of the reset and the defined expiration duration:
/**
* Determine if the token has expired.
*
* @param string $createdAt
* @return bool
*/
protected function tokenExpired($createdAt)
{
return Carbon::parse($createdAt)->addSeconds($this->expires)->isPast();
}
https://github.com/laravel/framework/blob/5.8/src/Illuminate/Auth/Passwords/DatabaseTokenRepository.php#L139
Laravel 5 How to check password reset token if it has expired or not
Use the created_at
to check if a certain duration has passed from the time of insertion. For example you can do like so :
$token = DB::table('password_resets')
->where('token','=',$token)
->where('created_at','>',Carbon::now()->subHours(2))
->first();
Then check if the token exists.
Related Topics
Message: Trying to Access Array Offset on Value of Type Null
Openssl Not Working on Windows, Errors 0X02001003 0X2006D080 0X0E064002
Making a Http Get Request with Http-Basic Authentication
How to Tell If a Timezone Observes Daylight Saving at Any Time of the Year
Designing a Secure Auto Login Cookie System in PHP
How to Convert an Image to Black and White in PHP
Regex, Get String Value Between Two Characters
How to Consume a Wcf Web Service That Uses Custom Username Validation with a PHP Page
PHP Exec: Does Not Return Output
How to Wrap Long Lines Without Spaces in HTML
How to Find Array/Dictionary Value Using Key
Difference Between File, File_Get_Contents, and Fopen in PHP
Regex/Domdocument - Match and Replace Text Not in a Link
Remotely Connecting to a MySQL Database
Parsing JavaScript (Not JSON) in PHP
Inserting Utf-8 Encoded String into Utf-8 Encoded MySQL Table Fails with "Incorrect String Value"