A token consist of a timestamp and a HMAC value. HMAC is a keyed hashing function: hashing uses a secret key (by default
settings.SECRET_KEY) to get a unique value, but “unhashing” is impossible with or without the key.
The hash combines four values:
- The user’s primary key.
- The user’s hashed password.
- The user’s last login timestamp.
- The current timestamp.
The token then consists of the current timestamp and the hash of these four values. The first three values are already in the database, and the fourth value is part of the token, so Django can verify the token at any time.
By including the user’s hashed password and last login timestamp in the hash, a token is automatically invalidated when the user logs in or changes their password. The current timestamp is also checked to see if the token has expired. Note that even though the current timestamp is included in the token (as a base36 encoded string), if an attacker changes the value, the hash changes as well and the token is rejected.