validity of reset links in password-reset emails

[Michael247]

Hi

I have a question about the password reset functionality. I've just tested with a reset-Link from the 19 May 2015 (13 months ago) and the password-reset still works with this link.

 

How long (period of validity) is the reset-link in the email valid? I guess the link is valid forever, is it?

 

Where are these "recovery token" stored?

 

 

You have no idea what I'm talking? Here is an example of a link from the e-mail:

http://www.domain.tld/kennwort-wiederherstellung?token=faa0123456789abcdef0123456789abc&id_customer=12345

(I suppose in English called it "password-reset" or "password-recovery" instead of "kennwort-wiederherstellung")

 

 

Best Regards, Michael

[rocky]

That token is not the recovery token, it is the customer's token. It's designed to confirm you are the customer and aren't just randomly entering customer IDs in an attempt to reset their passwords. If you reset your password a second time, you'd see the same token is used. The token is randomly generated when the customer is created and then stored in the `secure_key` column of the `ps_customer` table in the database.

 

As you say, there is no limit on how long the link works for or how many times you can use it. The link is always there if you need it.