Suggested Videos
Part 115 - Forgot password in asp.net core | Text | Slides
Part 116 - Reset password in asp.net core | Text | Slides
Part 117 - How tokens are generated and validated in asp.net core | Text | Slides
In this video we will discuss, how to set password reset token lifetime i.e specifying how long the token will be valid.
This is continuation to our previous video Part 117. Please watch Part 117 from asp.net core tutorial.
Both, password reset token and email confirmation token are generated by the built-in DataProtectorTokenProvider class. In our previous video, we discussed in detail, how this class generates and validates these tokens.
So, it is the DataProtectorTokenProvider class that generates the password reset token. The token life span is controlled by DataProtectionTokenProviderOptions class. You can see this yourself, if you look at the source code of DataProtectorTokenProvider class at the following link.
https://github.com/aspnet/Identity/blob/release/2.2/src/Identity/DataProtectionTokenProvider.cs
The default token life span is 1 day. You can see this yourself if you look at the source code of DataProtectionTokenProviderOptions class at the following link.
https://github.com/aspnet/Identity/blob/release/2.2/src/Identity/DataProtectionTokenProviderOptions.cs
From security standpoint, password reset token is a bit sensitive so it make sense to reduce the time it is valid for. The following code sets the token life span to 5 hours.
The above code, not only sets password reset token life span to 5 hours. It also sets the life span of all the tokens generated by DataProtectorTokenProvider class to 5 hours. This may not be the behaviour you want. For example, the email confirmation token is also generated by DataProtectorTokenProvider class. So this means even the email confirmation token life span is 5 hours.
In general email confirmation tokens can live a little longer than password reset tokens. For example, let's say we want to change the life span of email confirmation token to 3 days. To achieve this we have to create a custom DataProtectorTokenProvider and DataProtectionTokenProviderOptions.
We will discuss how to do this in our next video.
Part 115 - Forgot password in asp.net core | Text | Slides
Part 116 - Reset password in asp.net core | Text | Slides
Part 117 - How tokens are generated and validated in asp.net core | Text | Slides
In this video we will discuss, how to set password reset token lifetime i.e specifying how long the token will be valid.
This is continuation to our previous video Part 117. Please watch Part 117 from asp.net core tutorial.
Both, password reset token and email confirmation token are generated by the built-in DataProtectorTokenProvider class. In our previous video, we discussed in detail, how this class generates and validates these tokens.
So, it is the DataProtectorTokenProvider class that generates the password reset token. The token life span is controlled by DataProtectionTokenProviderOptions class. You can see this yourself, if you look at the source code of DataProtectorTokenProvider class at the following link.
https://github.com/aspnet/Identity/blob/release/2.2/src/Identity/DataProtectionTokenProvider.cs
The default token life span is 1 day. You can see this yourself if you look at the source code of DataProtectionTokenProviderOptions class at the following link.
https://github.com/aspnet/Identity/blob/release/2.2/src/Identity/DataProtectionTokenProviderOptions.cs
From security standpoint, password reset token is a bit sensitive so it make sense to reduce the time it is valid for. The following code sets the token life span to 5 hours.
public void ConfigureServices(IServiceCollection services)
{
// rest of the code
services.AddIdentity<ApplicationUser, IdentityRole>(options =>
{
options.Password.RequiredLength = 10;
options.Password.RequiredUniqueChars = 3;
options.SignIn.RequireConfirmedEmail = true;
})
.AddEntityFrameworkStores<AppDbContext>()
.AddDefaultTokenProviders();
// Set token life span to 5 hours
services.Configure<DataProtectionTokenProviderOptions>(o =>
o.TokenLifespan = TimeSpan.FromHours(5));
// rest of the code
}
{
// rest of the code
services.AddIdentity<ApplicationUser, IdentityRole>(options =>
{
options.Password.RequiredLength = 10;
options.Password.RequiredUniqueChars = 3;
options.SignIn.RequireConfirmedEmail = true;
})
.AddEntityFrameworkStores<AppDbContext>()
.AddDefaultTokenProviders();
// Set token life span to 5 hours
services.Configure<DataProtectionTokenProviderOptions>(o =>
o.TokenLifespan = TimeSpan.FromHours(5));
// rest of the code
}
The above code, not only sets password reset token life span to 5 hours. It also sets the life span of all the tokens generated by DataProtectorTokenProvider class to 5 hours. This may not be the behaviour you want. For example, the email confirmation token is also generated by DataProtectorTokenProvider class. So this means even the email confirmation token life span is 5 hours.
In general email confirmation tokens can live a little longer than password reset tokens. For example, let's say we want to change the life span of email confirmation token to 3 days. To achieve this we have to create a custom DataProtectorTokenProvider and DataProtectionTokenProviderOptions.
We will discuss how to do this in our next video.
No comments:
Post a Comment
It would be great if you can help share these free resources