[keycloak-user] Security implications when having long login action timeout
Libor Krzyzanek
lkrzyzan at redhat.com
Tue Nov 10 07:50:07 EST 2015
Hi,
we got requirement to have long timeout e.g. 2 - 3 days on links for e-mail verification during registration for better UX.
It’s possible to do it via setting "Login action timeout” to 3 days. This setting also change the timeout of link for forgot password AFAIK.
I’m thinking about security implications.
Can somebody steal such link in e-mail somehow and then steal identity because of doing “forgot password” on target account? For example by listening SMTP protocol communication?
Thanks,
Libor Krzyžanek
jboss.org Development Team
More information about the keycloak-user
mailing list