SSPR New User Activation Times Out

  • 7024718
  • 08-Jul-2020
  • 09-Jul-2020

Environment

Self Service Password Reset 4.x
SSPR 
User Activation Module 

Situation

User is unable to enter activation token after leaving SSPR New User Activation page and coming back
How long is an SSPR activation token valid? 
How long is an SSPR activation token valid if a user navigates away from the SSPR user activation page?
The SSPR new user activation module requires a token to be entered in order to activate an account.  How long does a user have to enter this token?

Resolution

To answer this question, two different SSPR settings need to be considered.

The following setting defines how a long a token is valid:
 
Modules ⇨ Public ⇨ New User Registration ⇨ New User Profiles ⇨ default ⇨ New User Email Token Maximum Lifetime  (or New User SMS Token Maximum Lifetime)


The following setting specifies how long a user has to return to the activation page after navigating away from it: 
 
Settings ⇨ Security ⇨ Web Security ⇨  Page Leave Notice Timeout

These two settings are independent of each other and are applied separately.   If one value is larger than the other,  it remains valid even if the other one has expired.  For example,  if the “Token Maximum Lifetime” is set to 30 minutes and the “Page Leave” timeout is set to 5 minutes,  the token would still be valid for 20 more minutes if the user left the page 10 minutes earlier after having  entered the username but not the token.   In this example the user would need open a new browser session and enter the token before the 30 minute timeout occurred, even though the page leave timeout had been reached.