I've identified a significant issue with the password reset functionality in our Laravel application. Despite the password reset email stating that the link expires in 60 minutes, users are still able to use the same link to reset their password after this period.
This inconsistency poses a security risk and could confuse users. It's essential that the expiration mechanism for the password reset link aligns with the time frame stated in the email notification.
I'm bringing this issue to the team's attention so that it can be investigated and addressed promptly. Ensuring the integrity of the password reset process is critical for the security and usability of our application.
Hi Nipesh,
May I know if you have customised the password reset function?
Ensure that the expiration time for password reset tokens is correctly configured in your Laravel application. This configuration should be set in the config/auth.php file under the 'passwords.users.expire' key. By default, it should be set to 60 minutes ('expire' => 60).
Verify that the password reset tokens are being generated with an expiration timestamp. When a user requests a password reset, a unique token with an expiry time should be generated and stored in the database. Ensure the token's expiration time is correctly set to 60 minutes in the database.
Thanks