change password token invalidation policy: too strict?
A password token is invalidated immediately its link is accessed, even if the password was not changed. We got a user complaint that the password link always was reported to be invalid.
The logs show that the link was accessed multiple times from multiple IP addresses. Possibly these are intermediate email gateways checking included links for malware.
Would it be acceptable to invalidate password change links only after they were successfully used to change the password?
No data to display