View Issue Details

IDProjectCategoryView StatusLast Update
0021673mantisbtadministrationpublic2016-11-27 00:45
ReportervboctorAssigned Tovboctor 
PrioritynormalSeverityminorReproducibilityalways
Status closedResolutionfixed 
Product Version1.3.1 
Target Version1.3.4Fixed in Version1.3.4 
Summary0021673: Extend activation URL validity period from 1 to 7 days
Description

At the moment when a user is created and receives an account activation URL that expires within 24 hours. Often the receives sees it or takes action on it after 24 hours due to time zones or weekends or other reasons. In such case, the URL is invalid and the whole cycle has to be repeated.

The same applies for lost password or reset password actions.

These links should expire in 30 days. There is really no rush to expire them in 24 hours. 30 days will cover even the cases when someone is on vacation and comes up and accepts the invite.

Tagsmantishub

Activities

atrol

atrol

2016-09-08 15:29

developer   ~0053983

What about having different validity periods for the different use cases?

lost password: 1 hour, the user triggers the action himself and is waiting for instant email

user creation by signup: 1 hour, the user triggers the action himself and is waiting for instant email

reset password: 3 days, the user asks the admin to reset the password, but does not know when the admin will react, 3 days should be enough to cover time zones and weekend aspects

user creation by the administrator: 30 days should be enough to cover vacation aspect

Maybe add 1 hour (or use configuration option for it) if email is sent by cron job.

vboctor

vboctor

2016-11-18 10:46

manager   ~0054542

Last edited: 2016-11-18 11:31

View 3 revisions

@atrol I'm not sure why we will add the complexity of having N different threshold. This just causes confusion when users miss the window. I don't see why we don't have a relaxed deadline. Reasons are:

  • If the user's email is compromised, the hacker can issue a new link anyway.
  • If user uses the link, we will de-activate the link so it can't be re-used.

Hence, I would go with a single threshold of 30 days and call it a day. Simple, works, and not really an issue in my opinion.

So fix will be as follows:

Replace:
define( 'TOKEN_EXPIRY_ACCOUNT_ACTIVATION', 24 60 60 );

With:
define( 'TOKEN_EXPIRY_ACCOUNT_ACTIVATION', 30 24 60 * 60 );

cproensa

cproensa

2016-11-18 17:58

developer   ~0054544

when creating the constant, i didn't have a strong reason to set it to 24 hours over any other time frame.

@atrol
I dont know what would be the benefit of having a strict short time interval (like the proposed 1-3 hours)
Is there a real use case where it may be necessary?

So, other than some imposed compliance, policies, etc i would not go for complicating the logic for different times.
If any, set it as a config option.

atrol

atrol

2016-11-20 09:18

developer   ~0054550

when creating the constant, i didn't have a strong reason to set it to 24 hours over any other time frame.

@cproensa
I thought that security was the reason for it. Seems I was wrong.
I wonder, if we increase from 1 day to 30 days, couldn't we increase to 360 days or remove token expiry?

cproensa

cproensa

2016-11-20 09:31

developer   ~0054551

I was thinking on the self-service scenario, where the user requests the activation through the "lost password" form, for defining at 24 hours.

I wonder, if we increase from 1 day to 30 days, couldn't we increase to 360 days or remove token expiry?

if there is no security risk for going from 1 to 30 days, then technically yes, expiration could be any arbitrary date.

As i said, i can think that a requirement for a different value may come from imposed policies, so this could be left as a (global) config option.

dregad

dregad

2016-11-21 06:40

developer   ~0054556

Even if the likelihood of it to happen is quite low, there is a risk that the message is intercepted or the link forged, which could give someone undue access to someone else's account.

While I agree that 24 hours is probably too short in some cases, going for 30 days seems a bit too extreme, and I would propose a shorter delay, say 3 days but no more than 1 week.

I also don't see the reason for differentiated deadlines.

vboctor

vboctor

2016-11-21 23:52

manager   ~0054561

I think of the duration as a way for us to cleanup abandoned invitations rather than a security feature. The interception scenario applies equally to a 1 day duration as it applies to 3 day, 1 week, or 1 month.

I'm OK with a 7 day or 30 days, but nothing less than 7 days. I also don't see a reason for multiple durations.

I'm OK with a constant N days or a config option that is defaulted to the threshold we see as reasonable (7 or 30) days.

vboctor

vboctor

2016-11-22 00:23

manager   ~0054562

PR: https://github.com/mantisbt/mantisbt/pull/956

Related Changesets

MantisBT: master-1.3.x 049c6d9c

2016-11-24 02:42:14

vboctor

Details Diff
Extend activation url expiry to 7 instead of 1 day

Fixes 0021673
mod - core/constant_inc.php Diff File

Issue History

Date Modified Username Field Change
2016-09-07 23:47 vboctor New Issue
2016-09-07 23:47 vboctor Status new => assigned
2016-09-07 23:47 vboctor Assigned To => vboctor
2016-09-07 23:47 vboctor Tag Attached: mantishub
2016-09-08 15:29 atrol Note Added: 0053983
2016-11-18 10:46 vboctor Note Added: 0054542
2016-11-18 10:47 vboctor Note Edited: 0054542 View Revisions
2016-11-18 11:31 vboctor Note Edited: 0054542 View Revisions
2016-11-18 17:58 cproensa Note Added: 0054544
2016-11-20 09:18 atrol Note Added: 0054550
2016-11-20 09:31 cproensa Note Added: 0054551
2016-11-21 06:40 dregad Note Added: 0054556
2016-11-21 23:52 vboctor Note Added: 0054561
2016-11-22 00:23 vboctor Note Added: 0054562
2016-11-24 02:43 vboctor Changeset attached => MantisBT master-1.3.x 049c6d9c
2016-11-24 02:43 vboctor Status assigned => resolved
2016-11-24 02:43 vboctor Resolution open => fixed
2016-11-24 02:43 vboctor Fixed in Version => 1.3.4
2016-11-24 02:58 atrol Target Version => 1.3.4
2016-11-24 04:13 vboctor Summary Extend activation URL validity period beyond 24 hours => Extend activation URL validity period from 1 to 7 days
2016-11-27 00:45 vboctor Status resolved => closed