phplaravellaravel-4laravel-5reset-password
Should I make that re-set password link expire at a certain period of time?
Form
When my user is forgetting their password, I asked them for an email so I can send them the re-set password link.
Right now I embeded the link into the btn, that link doesn't have any expiration time on it. But if they re-submit an email again, the I re-generate the link and override the old one.
Questions
- Is what I'm having right now is secure enough ?
- Should I make that re-set password link expire at a certain period of time ?
- If so - What is the best practice to handle this ?
Any tips / suggestions will be much appreciated.
Solution
If you are using laravel 5, this option comes as a boiler plate. all you have to do is migrate the users and password_reset tables. The token is automaticaly expired in 60 minutes.