Last Update: 2020-04-07 11:37:59 -0700

Documentation for Password Expiration Feature

The password expiration feature requires that users change their password on login if it has expired (default: every 90 days). You can force password expiration checks for all logged in users by adding the following code to your route block:


Additionally, you can set a minimum amount of time after a password is changed until it can be changed again. By default this is not enabled, but it can be enabled by setting allow_password_change_after to a positive number of seconds.

It is not recommended to use this feature unless you have a policy that requires it, as password expiration in general results in users chosing weaker passwords. When asked to change their password, many users choose a password that is based on their previous password, so forcing password expiration is in general a net loss from a security perspective.

Auth Value Methods


How long in seconds after the last password change until another password change is allowed (always allowed by default).


Where to redirect if a password needs to be changed.


The key in the session storing the timestamp the password was changed at.


The column in the password_expiration_table containing the timestamp


If the last password change time for an account cannot be determined, whether to consider the account expired, false by default.


The flash error to display when the account’s password has expired and needs to be changed.


The column in the password_expiration_table containing the account’s id.


The table holding the password last changed timestamps.


The flash error to display when not enough time has elapsed since the last password change and an attempt is made to change the password.


Where to redirect if the password cannot be changed yet.


How long in seconds until a password change is required (90 days by default).

Auth Methods


Whether the password has expired for the related account.


Update the password last changed timestamp for the current account.