Is there any risk in using the Django Token Generator in different services?

0

Assuming that I'm already using the django.contrib.auth.tokens.default_token_generator  generating tokens to reset a user's password, and  want to use the same method to activate the user, or for any other similar service, are there any of the following risks?

  • Reveal unwanted details for the user as id or hash of the password persisted in a bank;
  • Once an 'X' token is generated in a given action, such as resetting the password, the user can use this same token for another action, such as activating user;
  • Once a new token is generated for the user, the previous user's tokens remain active.

    Although you partially clarify my doubts #

    >

    However, I would definitely like to understand the logic behind this method to understand the risks and benefits of production.

  • asked by anonymous 10.06.2016 / 01:44

    1 answer

    1

    You can use:

    import binascii
    import os
    
    numero_de_caracteres = 15
    token = binascii.hexlify(os.urandom(numero_de_caracteres))
    print(token)
    

    The above code generates a random string of 15 characters and stores it in the token variable. To define the number of characters, simply modify the value of the variable number_of_characters.

        
    20.10.2016 / 20:02