Login's ResetPassword - how long do you have before it expires? Cache dependent?

halftrainedharry · February 11, 2022, 9:21am

I think you are correct.

It looks like the value gets written to the default cache partition without an expiration time.

modxcms/Login/blob/04ccc73a3f93201fada4dbfbf54065ce22379038/core/components/login/controllers/web/ForgotPassword.php#L226

      
        
            
            
    /* set the email properties */
                $emailProperties = $fields;
                $emailProperties['confirmUrl'] = $confirmUrl;
                $emailProperties['password'] = $password;
                $emailProperties['tpl'] = $this->getProperty('emailTpl');
                $emailProperties['tplAlt'] = $this->getProperty('emailTplAlt','');
                $emailProperties['tplType'] = $this->getProperty('emailTplType');
            
            
    /* now set new password to cache to prevent middleman attacks */
                $this->modx->cacheManager->set('login/resetpassword/'.md5($fields['id'].':'.$fields['username']),$password);
            
            
    $emailSubject = $this->getProperty('emailSubject','');
                $subject = !empty($emailSubject) ? $emailSubject : $this->modx->getOption('login.forgot_password_email_subject',null,$this->modx->lexicon('login.forgot_password_email_subject'));
                $this->login->sendEmail($fields['email'],$fields['username'],$subject,$emailProperties);
                $this->emailsSent++;
            }
            
            
/**
             * Redirect the user to another page after successful form submission, if desired
             * @return boolean

Maybe it would be a better idea to use a custom partition in this case:

//Writes the data to its own cache partition with an expiry time of 2 hours.
$options = array(
	xPDO::OPT_CACHE_KEY => 'resetpassword',
);
$this->modx->cacheManager->set('login/resetpassword/'.md5($fields['id'].':'.$fields['username']),$password, 7200, $options);