Environment
Self Service Password Reset 4.x
SSPR
User Activation Module
Situation
User is unable to enter activation token after leaving SSPR New User Activation page and coming back
How long is an SSPR activation token valid?
How long is an SSPR activation token valid if a user navigates away from the SSPR user activation page?
The SSPR new user activation module requires a token to be entered in order to activate an account. How long does a user have to enter this token?
Resolution
To answer this question, two different SSPR settings need to be considered.
The following setting defines how a long a token is valid:
Modules ⇨ Public ⇨ New User Registration ⇨ New User Profiles ⇨ default ⇨ New User Email Token Maximum Lifetime (or New User SMS Token Maximum Lifetime)
The following setting specifies how long a user has to return to the activation page after navigating away from it:
Settings ⇨ Security ⇨ Web Security ⇨ Page Leave Notice Timeout
These two settings are independent
of each other and are applied separately.
If one value is larger than the
other, it remains valid even if the
other one has expired. For example, if the “Token Maximum Lifetime” is set to 30
minutes and the “Page Leave” timeout is set to 5 minutes, the token would still be valid for 20 more minutes if the user left the page 10 minutes earlier after having entered the username but not the token. In this example the user would need open a new
browser session and enter the token before the 30 minute timeout occurred, even though
the page leave timeout had been reached.