Less strict code verification in the reset password system

Last modified by Simon Urli on 2021/12/03

We allow to relax a bit the reset password email link security mechanism to avoid it being revoked at first access, in order to avoid issues with software that checks email links. This mechanism can be used by changing a property in xwiki.properties:

#-# [Since 13.10.1]
#-# [Since 14.0RC1]
#-# Define the lifetime of the token used for resetting passwords in minutes. Note that this value is only used after
#-# first access.
#-# Default value is 0 meaning that the token is immediately revoked when first accessed.
#-# Use a different value if the reset password email link might be accessed several times (e.g. in case of using an
#-# email link verification system): in such case the user will have the defined lifetime to use again the email link.
#-#
#-# The default is:
# security.authentication.resetPasswordTokenLifetime = 0

Get Connected