Re: [keycloak-user] Security implications when having long login action timeout

On Nov 10, 2015, at 3:27 PM, Stian Thorgersen <sthorger(a)redhat.com&gt; wrote: 2-3 days for email verification seems OK to me, but I wouldn't do that for password resets. So I think you need to request a feature to be able to configure those independently. On 10 November 2015 at 13:50, Libor Krzyzanek <lkrzyzan(a)redhat.com <mailto:lkrzyzan@redhat.com>> wrote: Hi, we got requirement to have long timeout e.g. 2 - 3 days on links for e-mail verification during registration for better UX. It’s possible to do it via setting "Login action timeout” to 3 days. This setting also change the timeout of link for forgot password AFAIK. I’m thinking about security implications. Can somebody steal such link in e-mail somehow and then steal identity because of doing “forgot password” on target account? For example by listening SMTP protocol communication? Thanks, Libor Krzyžanek jboss.org <http://jboss.org/> Development Team _______________________________________________ keycloak-user mailing list keycloak-user(a)lists.jboss.org <mailto:keycloak-user@lists.jboss.org> https://lists.jboss.org/mailman/listinfo/keycloak-user <https://lists.jboss.org/mailman/listinfo/keycloak-user>