allow email/sms token to expire after a time interval

[GoogleCodeExporter]

Hi, this is an enhancement request.

Currently, I'm unable to find a setting that allows me to configure the token 
expiration time interval during password recovery.

Having a session token that expire after a restricted time interval can 
downplay replay attacks.

What steps will reproduce the problem?
1. Select Module > Forgotten Password
2.
3.

What is the expected output? What do you see instead?
It will be great if PWM allows the configuration of email/sms token expiry. For 
example, restrict email/sms generated token to expires after X minutes.

What version of PWM are you using?
1.5.5

What ldap directory and version are you using?
SUN directory

Please paste any error log messages below:
N.A.

Original issue reported on code.google.com by anj...@gmail.com on 30 Aug 2011 at 1:19

[GoogleCodeExporter]

Hi, this has already been implemented.

Configuration Manager --> View --> Advanced Settings

Settings --> Email --> Maximum Email Queue Age Reset (default 3600 seconds)

Settings --> SMS --> Maximum SMS Queue Age Reset (default 300 seconds)

Note that a regular web sessions will timeout (default) after 5 minutes of 
inactivity.

Original comment by menno.pi...@gmail.com on 30 Aug 2011 at 1:30

• Changed state: WontFix

[GoogleCodeExporter]

More information: the token is usable only during the validity of the session. 
When the session expires, the token automatically expires. To prevent replay of 
the session, always use SSL communication, which will hide cookies, tokens, 
session data, etc.

Original comment by menno.pi...@gmail.com on 30 Aug 2011 at 1:34

[GoogleCodeExporter]

Menno's correct for v1.5.5, However, I've recently checked in a change to svn 
that stores tokens into a database (either the local PwmDB or RDBMS) for both 
forgotten password and new user registration.  It still needs some more 
testing, but it will make it into 1.5.6.   

With this setup, tokens can last an arbitrarily length of time independent of 
the web session, this also solves the problem of a different browser (and thus 
different session) starting up when user clicks links in email.  

I'm unclear how this will interact with the SMS tokens, thus the testing 
needed....

I'm still of the opinion that tokens should only last a brief time (like 10m or 
something), but what do I know.

Original comment by jrivard on 30 Aug 2011 at 1:43

• Changed state: Accepted

[GoogleCodeExporter]

Original comment by jrivard on 30 Aug 2011 at 1:43

• Added labels: Type-Enhancement
• Removed labels: Type-Help

[GoogleCodeExporter]

Original comment by jrivard on 30 Aug 2011 at 1:44

[GoogleCodeExporter]

Sorry, didn't realize that. About the SMS: I think it's no different from 
email; it's just another method of sending the token.

Original comment by menno.pi...@gmail.com on 30 Aug 2011 at 1:51

[GoogleCodeExporter]

Yeah, my bad, I should open issues for enhancements :) 

Original comment by jrivard on 30 Aug 2011 at 2:11

[GoogleCodeExporter]

thanks for taking this up. I will stick to 1.5.5 for now since this affects 
only versions after 1.5.5.

Original comment by anj...@gmail.com on 30 Aug 2011 at 2:27

[GoogleCodeExporter]

This feature is now in builds 1082 and after.

Original comment by jrivard on 20 Sep 2011 at 2:31

• Changed state: Fixed