Currently the tokens will work for 30 days which is a departure from the default in Drupal core of 24 hours. I suggest using the variable user_password_reset_timeout to determine how long links should work and defaulting the value to 24 hours. See #246029: Use a variable for the timeout/expiration of user password reset links (followup) for details on the variable.

Also, if cron stops working on a site then tokens could get old. The query to fetch the token should apply a condition that the token is younger than the variable.

Comments

chrism2671’s picture

chrism2671 commented

I agree with this x2, I'll get these in as soon as the initial module gets approved (just trying to get it through first!).

chrism2671’s picture

chrism2671 commented
Status: Active » Closed (fixed)

OK I've fixed both of these issues & committed.

greggles’s picture

greggles
he/him
Primary language English
Location Denver, Colorado, USA
commented
Status: Closed (fixed) » Needs work

Which commit(s) fixed this? I did a quick review and didn't see a change that fully addressed this.

chrism2671’s picture

chrism2671 commented
Status: Needs work » Needs review

Hi Greggles,

My mistake- I missed the crucial one; it's in now. I've added a config page, and pulled user_password_reset_timeout in as the default setting as you suggested.

Project: » Lost & found issues

This issue’s project has disappeared. Most likely, it was a sandbox project, which can be deleted by its maintainer. See the Lost & found issues project page for more details. (The missing project ID was 2065751)