Confirmation emails should expire
Bug #781438 reported by
François Marier
This bug affects 1 person
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
Libravatar (obsolete) |
Confirmed
|
Medium
|
Unassigned |
Bug Description
Right now, messages sent to confirm one's email address don't expire.
They should expire in 24 or 48 hours:
- enforced in the verification code
- old unconfirmed email addresses should be removed on cron (bug 769771)
- email messages sent out should have some expiry headers to inform mail clients
The expiry headers are listed here:
http://
http://
Changed in libravatar: | |
assignee: | nobody → François Marier (fmarier) |
Changed in libravatar: | |
importance: | Low → Medium |
Changed in libravatar: | |
assignee: | François Marier (fmarier) → nobody |
description: | updated |
Changed in libravatar: | |
assignee: | nobody → François Marier (fmarier) |
Changed in libravatar: | |
assignee: | François Marier (fmarier) → nobody |
To post a comment you must log in.
The Mozilla secure coding guidelines recommend expiring them after 8 hours:
https:/ /wiki.mozilla. org/WebAppSec/ Secure_ Coding_ Guidelines# Email_Change_ and_Verificatio n_Functions