Is there any risk in using Django’s Token generator in different services?

Asked

Viewed 145 times

0

Assuming I’m already using the library django.contrib.auth.tokens.default_token_generator generating tokens to reset a user’s password, and want to use the same method to activate the user, or for any other similar service, there are the following risks?

  1. Reveal unwanted details to the user as id or hash of the database persisted password;
  2. Once a token 'X' is generated in a given action, such as resetting the password, the user can use this token for another action, such as enabling the user;
  3. Once a new token is generated for the user, previous tokens from the same user remain active.

    Although they partially clarified my doubts in this question I still can’t tell how a token remains activated or disabled without persistence in a database, it would be by updating the field last_login user’s?

    However I would definitely like to understand the logic behind this method to understand the risks and benefits in production.

1 answer

1


You can use:

import binascii
import os

numero_de_caracteres = 15
token = binascii.hexlify(os.urandom(numero_de_caracteres))
print(token)

The above code generates a 15-character string randomly and stores it in the token variable. To set the number of characters just change the value of the variable numero_de_characters.

Browser other questions tagged

You are not signed in. Login or sign up in order to post.