How to set a password reset link to expire in 24 hours instead of no expiry
Question
The application's password recovery functionality sends an email with a link to a page where a user sets a new password. This link does not expire if not used, which makes it possible for an attacker to re-use it in order to compromise an account. How to make a reset password link to expire in 24 hours of sending the user an email?
Can someone tell me what is the approach I should take to solve this issue?
package com.www.actions;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpSession;
import org.apache.commons.lang.StringUtils;
import org.apache.log4j.Logger;
import org.apache.struts2.ServletActionContext;
import com.lang.EncryptionUtil;
import com.www.crm.CrmUser;
import com.www.customer.dao.CustomerUtils;
import com.www.interceptors.SessionManager;
import com.www.services.AmsCustomerService;
import com.raleys.www.services.IAmsCustomerService;
public class PasswordUpdateAction extends BaseAction {
/** Comment for <code>serialVersionUID</code> */
private static final long serialVersionUID = 1L;
private final Logger logger = Logger.getLogger(PasswordUpdateAction.class);
private String password1 = null;
private String password2 = null;
private final SessionManager sessionManager;
public PasswordUpdateAction(SessionManager sessionManager) {
this.sessionManager = sessionManager;
}
@Override
public String execute() {
HttpServletRequest request = ServletActionContext.getRequest();
HttpSession session = ServletActionContext.getRequest().getSession();
IAmsCustomerService amsCustomerService = new AmsCustomerService();
CrmUser crmUser = this.sessionManager.getCrmUser(session);
if (crmUser == null) {
request.setAttribute("errorMsg", LOGIN_MSG);
request.setAttribute("sessionErrorMsg", LOGIN_MSG);
return ERROR;
}
if (StringUtils.isBlank(this.sessionManager.getCredentials(session))) {
request.setAttribute("errorMsg", LOGIN_MSG);
request.setAttribute("sessionErrorMsg", LOGIN_MSG);
return ERROR;
}
String errorMsg = null;
try {
errorMsg = validateForm();
if (StringUtils.isBlank(errorMsg)) {
String encryptedPassword = EncryptionUtil.encodePassword(getPassword1(), "MD5");
crmUser.setPassword(encryptedPassword.toUpperCase());
int success = amsCustomerService.updateCrmUserLocally(crmUser);
if (success == 1) {
request.setAttribute("successMsg", "Your Password Has Been Updated Successfully! ");
return SUCCESS;
} else {
this.logger.error("Error Updating crmUser in Local DB. ");
errorMsg = "Unexpected error occur while updating your password, please try again.";
}
}
} catch (Exception ex) {
this.logger.error("Error, " + ex.getMessage());
errorMsg = "Unexpected error occur while updating your password, please try again.";
}
request.setAttribute("errorMsg", errorMsg);
return ERROR;
}
private String validateForm() {
return CustomerUtils.validatePasswords(getPassword1(), getPassword2());
}
public String getPassword1() {
return this.password1;
}
public void setPassword1(String password1) {
this.password1 = password1;
}
public String getPassword2() {
return this.password2;
}
public void setPassword2(String password2) {
this.password2 = password2;
}
}
1 answers
solution1
0 2015-02-28 01:40:03
Save the Date when the link expires along with the link / link key. When the user tries to change his password using that link, check that the expiry date is in the future.
The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.