23

I am using Django Rest Framework token-authentication mechanism.

http://www.django-rest-framework.org/api-guide/authentication#tokenauthentication

It creates database table with field created with the value equal to the timestamp, when te token was created. E.g: 2014-04-07 07:42:50.395626

Anyone knows how long is this token valid? I can not find this info on mentioned website.

I am also wondering, that this token is still valid, even when the user changes password. Shouldn't it generate a new one, or at least make the old on no more valid?

andilabs
  • 22,159
  • 14
  • 114
  • 151

1 Answers1

31

Answer to this question can be found HERE:

SHORTLY: this token is valid infinitely long.

If you would like to have token, which expires after certain time, please refere to examples shown in mentioned question.

andilabs
  • 22,159
  • 14
  • 114
  • 151
  • Today I noticed that the default token was expired after some days. I did not do any customization. I wonder if there has been any change in Django. – JM217 Sep 06 '21 at 05:29
  • @DavidPiao Please confirm, you said the token expired after some days without any customization? If so was a new one generated after it expired? – Bruce Oct 06 '21 at 14:17
  • @Bruce, yes, I met such a case. But after that, could not reproduce it. I am not 100% sure. – JM217 Oct 06 '21 at 18:03
  • 1
    It was my fault. Yes I confirm it lives forever – JM217 Nov 24 '21 at 15:55
  • @DavidPiao A token expires (becomes invalid) if you log out on any client as there is only one token per user. Example: You log into you web application from 2 different computers with the same user. Both will use the same token. If you then log out on one computer, the token is removed (not expired). You will be logged out on the other computer as well. – MarcFasel May 05 '22 at 05:51
  • By default, a token is not removed, meaning although you log out from one PC, the other PC still stays logged in. – JM217 May 05 '22 at 18:31