2

Possible Duplicate:
Forgot Password: what is the best method of implementing a forgot password function?

I am implementing forgot password for a web application. User will be sent a mail with a link to the web page to enter the new password. I would like to limit the validity of link to max 24hrs since it was created. How should I implement this? How should I generate this parameter so that the same link isn't reused or one cannot modify the link and reuse it?

Not sure if this would be helpful, but I am using Spring 3.1 framework.

Community
  • 1
  • 1
devang
  • 5,376
  • 7
  • 34
  • 49

4 Answers4

1

For such type of functionality you need to create a time stamp based random token and send it across with the forgot password link.You need to follow below mention steps

  1. Create a random token when user hit forgot password and save it in the DB with the expiry time.
  2. Send the link with the token embedded to the user in email.
  3. When user hit the link first check for the token expiry time and if it expired can show a message to user.
  4. If token is not expired allow user to change password and can set token state as invalid.

in order to secure more you can create some more steps to ensure that the link is from the valid user and not been hacked.

Umesh Awasthi
  • 23,407
  • 37
  • 132
  • 204
0

The common approach is to include a generated id in your url. That id will be persisted in db along with a date filed, either created or when to expire. This way you will be able to create a background task to clear your expired ids.

dan
  • 13,132
  • 3
  • 38
  • 49
0

What I would do is:

  • Reset user password (random value) with an expiration date of now + 24h
  • Send user the new password with a link to "the change your password" page

Advantages:

  • Spring security will take care of expiration
  • If I "steal" a link to "the change your password" page it's worth nothing: user need to enter current password and new password (twice)
0

  1. Once the user requests new password, generate some random token, e.g. using RandomStringUtils.randomAlphanumeric(int). Store this token in a database associated with user ID who requested password reset. Also store timestamp when it was created.

  2. Send a link to a user via e-mail. This link should contain the token you just created as part of the URL.

  3. Once the user enters this link, she is asked to enter new password. If you are afraid that link might have leaked, also ask about some personal detail (e-mail, first name, etc.)

  4. On the server side you:

    1. Find the token and the user ID associated with that token

    2. Make sure the token is still valid by comparing current date

    3. Store new password hashed

Tomasz Nurkiewicz
  • 334,321
  • 69
  • 703
  • 674