The password expiration feature requires that users change their password on login if it has expired (default: every 90 days). You can force password expiration checks for all logged in users by adding the following code to your route block:
Additionally, you can set a minimum amount of time after a password is
changed until it can be changed again. By default this is not enabled, but
it can be enabled by setting
allow_password_change_after to a
positive number of seconds.
It is not recommended to use this feature unless you have a policy that requires it, as password expiration in general results in users chosing weaker passwords. When asked to change their password, many users choose a password that is based on their previous password, so forcing password expiration is in general a net loss from a security perspective.
How long in seconds after the last password change until another password change is allowed (always allowed by default).
The flash error to display when the account's password has expired and needs to be changed.
The flash error to display when not enough time has elapsed since the last password change and an attempt is made to change the password.
Where to redirect if the password cannot be changed yet.
Where to redirect if a password needs to be changes.
The key in the session storing the timestamp the password was changed at.
If the last password change time for an account cannot be determined, whether to consider the account expired, false by default.
The table holding the password last changed timestamps.
The column in the
The column in the
How long in seconds until a password change is required (90 days by default).
Whether the password has expired for the related account.
Update the password last changed timestamp for the current account.