View Issue Details
|ID||Project||Category||View Status||Date Submitted||Last Update|
|14638||Feature requests||Security||public||2019-03-12 17:43||2021-03-07 21:26|
|Summary||14638: One time password : add "time out"|
|Description||One time password seems unlimited in time. A one time pasword generate today still valid in 10 years.|
(I didn't test a lot one time password …)
I think it's a good idea to have a limited in time one-time password.
|Additional Information||1. Add a datetime (created ?) column in one time password|
2. Add a 'timelimit' one time password in config
3. When an user come with a one time password check if datetime + timelimit is over (or not) and show an error message
After we can start to work on https://bugs.limesurvey.org/view.php?id=14049
Where we replace all password send by a one time password send.
To disable potential incompatibility with previous system using one-time password : set the default to null/0 => mean unlimited.
I dislike to have a bad security by default but if it's different : it broke different usage.
BUT : maybe set it to one hour by default : it's OK because we broke API.