如何設置密碼重置鏈接在24小時內過期而不是到期

Question

應用程序的密碼恢復功能會發送一封電子郵件，其中包含指向用戶設置新密碼的頁面的鏈接。 如果不使用，此鏈接不會過期，這使得攻擊者可以重新使用它以破壞帳戶。 如何讓重置密碼鏈接在24小時內向用戶發送電子郵件到期？

有人能告訴我解決這個問題應采取的方法是什么？

package com.www.actions;       

import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpSession;
import org.apache.commons.lang.StringUtils;
import org.apache.log4j.Logger;
import org.apache.struts2.ServletActionContext;
import com.lang.EncryptionUtil;
import com.www.crm.CrmUser;
import com.www.customer.dao.CustomerUtils;
import com.www.interceptors.SessionManager;
import com.www.services.AmsCustomerService;
import com.raleys.www.services.IAmsCustomerService;

public class PasswordUpdateAction extends BaseAction {

    /** Comment for <code>serialVersionUID</code> */
    private static final long serialVersionUID = 1L;
    private final Logger logger = Logger.getLogger(PasswordUpdateAction.class);
    private String password1 = null;
    private String password2 = null;
    private final SessionManager sessionManager;

    public PasswordUpdateAction(SessionManager sessionManager) {
        this.sessionManager = sessionManager;
    }

    @Override
    public String execute() {
        HttpServletRequest request = ServletActionContext.getRequest();
        HttpSession session = ServletActionContext.getRequest().getSession();
        IAmsCustomerService amsCustomerService = new AmsCustomerService();

        CrmUser crmUser = this.sessionManager.getCrmUser(session);
        if (crmUser == null) {
            request.setAttribute("errorMsg", LOGIN_MSG);
            request.setAttribute("sessionErrorMsg", LOGIN_MSG);
            return ERROR;
        }
        if (StringUtils.isBlank(this.sessionManager.getCredentials(session))) {
            request.setAttribute("errorMsg", LOGIN_MSG);
            request.setAttribute("sessionErrorMsg", LOGIN_MSG);
            return ERROR;
        }

        String errorMsg = null;

        try {
            errorMsg = validateForm();
            if (StringUtils.isBlank(errorMsg)) {

                String encryptedPassword = EncryptionUtil.encodePassword(getPassword1(), "MD5");

                crmUser.setPassword(encryptedPassword.toUpperCase());

                int success = amsCustomerService.updateCrmUserLocally(crmUser);

                if (success == 1) {
                    request.setAttribute("successMsg", "Your Password Has Been Updated Successfully! ");
                    return SUCCESS;
                } else {
                    this.logger.error("Error Updating crmUser in Local DB. ");
                    errorMsg = "Unexpected error occur while updating your password, please try again.";
                }

            }

        } catch (Exception ex) {
            this.logger.error("Error, " + ex.getMessage());
            errorMsg = "Unexpected error occur while updating your password, please try again.";
        }

        request.setAttribute("errorMsg", errorMsg);
        return ERROR;
    }

    private String validateForm() {
        return CustomerUtils.validatePasswords(getPassword1(), getPassword2());
    }

    public String getPassword1() {
        return this.password1;
    }

    public void setPassword1(String password1) {
        this.password1 = password1;
    }

    public String getPassword2() {
        return this.password2;
    }

    public void setPassword2(String password2) {
        this.password2 = password2;
    }
} 

Answer 1

保存鏈接過期的日期以及鏈接/鏈接鍵。 當用戶嘗試使用該鏈接更改其密碼時，請檢查有效期是否在將來。