Why does reset password URL expire?

Question

More of a theoretically question. Writing a secure login system and I can't find a reason to have an expiration to a reset password URL.

Their thought was if someone was in your email and wanted to change your password to a site. The URL should be expired. To get around this. They could request another password change to the already compromised email address.

I took to the time to make it expire anyways. I think another backup email address or cell number would be the only way around this. I think I owe Kim DotCom money.

Answer 1

Without much elaboration, I see two problematic situations.

• The user relies on a local storage email client (Outlook, for example.) His account isn't compromised, but maybe the local storage is.
• the email account may belong to an old service provider that the user doesn't use anymore, but the email on the compromised account is still able to generate a 'valid' request.

So instead of thinking of all the possible points of failure while evaluating older links (and you WILL miss a case or two), just slap a duration to a reset token, thus preventing usage of older links/tokens.