I think we shouldn't shoe-horn a timedelta into the existing setting, so my vote is with the second option, but I think a timedelta is much more readable than just an integer.
Also, the existing 3 day timeout for password links is quite surprising from a security point of view. The consultants I work with would flag up a token that lasts longer than 12 hours as an issue during a pentest. IMO a new, far shorter default should be added to this setting. On 21 Sep 2017 03:56, "Zhiqiang Liu" <[email protected]> wrote: I need general consensus on how to proceed with supporting password expire time to be under a day. Currently it is not possible because we use PASSWORD_RESET_TIMEOUT_DAYS. In ticket 28622 <https://code.djangoproject.com/ticket/28622> we have two options. One is to continue to use the same setting PASSWORD_RESET_TIMEOUT_DAYS, but change the value to non-integer (such as timedelta) so we can send hours, minutes, etc to it. The other one is to create a new setting like PASSWORD_RESET_TIMEOUT which takes seconds.To support backward compatibility, I think we should keep PASSWORD_RESET_TIMEOUT_DAYS and its default value of 3. Only use PASSWORD_RESET_TIMEOUT when provided. I'm unsure which one is better, so inputs are welcome. -- You received this message because you are subscribed to the Google Groups "Django developers (Contributions to Django itself)" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To post to this group, send email to [email protected]. Visit this group at https://groups.google.com/group/django-developers. To view this discussion on the web visit https://groups.google.com/d/ms gid/django-developers/c8e96008-eb95-4924-8e5e-9b02d6b90c99% 40googlegroups.com <https://groups.google.com/d/msgid/django-developers/c8e96008-eb95-4924-8e5e-9b02d6b90c99%40googlegroups.com?utm_medium=email&utm_source=footer> . For more options, visit https://groups.google.com/d/optout. -- You received this message because you are subscribed to the Google Groups "Django developers (Contributions to Django itself)" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To post to this group, send email to [email protected]. Visit this group at https://groups.google.com/group/django-developers. To view this discussion on the web visit https://groups.google.com/d/msgid/django-developers/CAFNZOJMiAMnOefVvoX1ewp_%2B05%2B4y%2BOzRrpq9nEC7vO%2Bt57kGQ%40mail.gmail.com. For more options, visit https://groups.google.com/d/optout.
