Join GitHub today
Implement token expiration logic for password reset #881
Expected: I shouldn't be able to use any older token as the most recent one has already been used. Only the most recent token should be valid for security reasons.
Actual: I'm able to use all of the older tokens to change the password and log in to CE.
added a commit
Sep 1, 2018
Implemented. In JSON oxTrust configuration I added new 2 properties to control this new functionality:
Old code not removed expired request from LDAP at all. Also token expiration time was 2 hours and it was hardcoded.