Support us .Net Basics C# SQL ASP.NET Aarvi MVC Slides C# Programs Subscribe Download

ASP.NET Core password reset token lifetime

Suggested Videos
Part 115 - Forgot password in core | Text | Slides
Part 116 - Reset password in core | Text | Slides
Part 117 - How tokens are generated and validated in core | Text | Slides

In this video we will discuss, how to set password reset token lifetime i.e specifying how long the token will be valid.

This is continuation to our previous video Part 117. Please watch Part 117 from core tutorial.

Both, password reset token and email confirmation token are generated by the built-in DataProtectorTokenProvider class. In our previous video, we discussed in detail, how this class generates and validates these tokens.

So, it is the DataProtectorTokenProvider class that generates the password reset token. The token life span is controlled by DataProtectionTokenProviderOptions class. You can see this yourself, if you look at the source code of DataProtectorTokenProvider class at the following link.

The default token life span is 1 day. You can see this yourself if you look at the source code of DataProtectionTokenProviderOptions class at the following link.

From security standpoint, password reset token is a bit sensitive so it make sense to reduce the time it is valid for. The following code sets the token life span to 5 hours.

public void ConfigureServices(IServiceCollection services)
    // rest of the code

    services.AddIdentity<ApplicationUser, IdentityRole>(options =>
        options.Password.RequiredLength = 10;
        options.Password.RequiredUniqueChars = 3;

        options.SignIn.RequireConfirmedEmail = true;

    // Set token life span to 5 hours
    services.Configure<DataProtectionTokenProviderOptions>(o =>
        o.TokenLifespan = TimeSpan.FromHours(5));

    // rest of the code

The above code, not only sets password reset token life span to 5 hours. It also sets the life span of all the tokens generated by DataProtectorTokenProvider class to 5 hours. This may not be the behaviour you want. For example, the email confirmation token is also generated by DataProtectorTokenProvider class. So this means even the email confirmation token life span is 5 hours.

In general email confirmation tokens can live a little longer than password reset tokens. For example, let's say we want to change the life span of email confirmation token to 3 days. To achieve this we have to create a custom DataProtectorTokenProvider and DataProtectionTokenProviderOptions.

We will discuss how to do this in our next video. core tutorial for beginners

No comments:

Post a Comment

It would be great if you can help share these free resources