The old system of giving out password-reset URLs that only work in the current month is
- More security than is really needed
- Sometimes buggy
I ran into an edge case where at the end of the month, date('F', strtotime('+1 month')) actually output the name of the month two months in the future, which made the "If you need to reset your password in <?= date('F', strtotime('+1 month')) ?> or later, you'll need to...") instruction confusing
- Kind of arbitrary
It's a time limit that can be anything less than one month, including just one second. It makes more sense to me to make it a specific length of time or none at all.
My recommendation is to remove this time limit entirely, but it would also be okay to change the limit to a specific period of time (like 24 hours, enforced by including a timestamp in the URL and making it part of the hash's input).
The old system of giving out password-reset URLs that only work in the current month is
I ran into an edge case where at the end of the month,
date('F', strtotime('+1 month'))actually output the name of the month two months in the future, which made the "If you need to reset your password in<?= date('F', strtotime('+1 month')) ?>or later, you'll need to...") instruction confusingIt's a time limit that can be anything less than one month, including just one second. It makes more sense to me to make it a specific length of time or none at all.
My recommendation is to remove this time limit entirely, but it would also be okay to change the limit to a specific period of time (like 24 hours, enforced by including a timestamp in the URL and making it part of the hash's input).