I recently moved from IDM 5 to 18.104.22.168 and noticed that email validation links you get in the pass reset flow are not reusable anymore. If you click on them once and do nothing and click on them the second time, you will get an “invalid code” error. I could not find this change in the release note. Can someone confirm it please? Is it configurable? Can I disable it?
I did some investigation myself. I see that the code part of the pass reset link, which is stored in genericobjects table gets deleted from that table when I click on the pass reset link.
I agree it would be a good security practice to invalidate pass reset links once they are used but if I just click on the link and don’t attempt to change my password, IMHO the link should remain valid.