How Django version 1.11 generates a password reset link with uid and token generator for the given user. How it validates the link. After some digging, I found out they save the token in session to check afterwords, but in that case validity of such link is highly unreliable(i think, might be wrong). Please, suggest me some functions which will do the same i.e. generate encrypted email link which will be used to reset email.
Asked
Active
Viewed 2,137 times
1 Answers
1
Django does not save the password reset token in the session. The token is a salted HMAC and is completely stateless.
Have a look at the methods make_token and check_token of the class PasswordResetTokenGenerator
Daniel Hepper
- 28,981
- 10
- 72
- 75
-
Here is what django code is, i feel they are using sessions to validate. https://github.com/django/django/blob/master/django/contrib/auth/views.py – Deepanshu Gautam Jun 13 '18 at 12:26
-
No, it doesn't. You can verify that by adding a breakpoint to PasswordResetView.dispatch and stepping through the code or simply by opening the password reset link in an incognito browser session. – Daniel Hepper Jun 13 '18 at 12:36