Update default max uses for LOGIN_MODE_SESSION tokens

yunojuno / django-request-token

Django app that uses JWT to manage one-time and expiring tokens to protected URLs. Not related to DRF.

MIT License

47 stars 23 forks source link

Update default max uses for LOGIN_MODE_SESSION tokens #40

Closed hugorodgerbrown closed 4 years ago

hugorodgerbrown commented 4 years ago

Solves #39

Session tokens with a default max_use of 1 are problematic as email clients / services now often ping URLs in emails in order to cache images / detect phishing sites. This results in session tokens expiring before the user has had a chance to click on the link.

The new default is 10 uses, 10 minutes.

hugorodgerbrown commented 4 years ago

NB this needs a rewrite - a session token should redirect to a page that requires a button click.