Only 44 hours left in the trailboss' kickstarter!

New rewards and stretch goals. CLICK HERE!



Win a copy of Murach's Python Programming this week in the Jython/Python forum!
  • Post Reply Bookmark Topic Watch Topic
  • New Topic

Forgot password functionality  RSS feed

 
Marco Canavese
Ranch Hand
Posts: 34
2
Eclipse IDE Java
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
I'd like to implement a forgot password functionality for my very first jsp/servlet application.

Here below there are the logic steps I'd think to follow in order to implment it:

  • 1) User clicks the forgot password link within the login page of the application.
  • 2) In the forgot password page, the application asks the user to enter the email address used to register to the system.
  • 3) The application verify that the email address is valid.
  • 4) The application sends out an Email to the specified address with reset instructions (details to be designed).
  • 5) The user clicks on the link provided in the email and gets redirected to a page where can enter (and confirm) his new password.
  • 6) The application checks that new password matches confirm password and updates the appropriate field in the database.


  • Could you kindly give me a feedback whether there is some evident flaw with this approach or not?
    And some hints especially on how to implement step 4 would be very appreciated, taking into account that I'd like to implement something effective from a security perspective (not because the application manages sensitive data but because information security is a field where I have great interest, so secure code is always better than simply code).

    Thanks a lot.
    Marco
     
    Stephan van Hulst
    Saloon Keeper
    Posts: 6966
    109
    • Mark post as helpful
    • send pies
    • Quote
    • Report post to moderator
    Hi Marco

    This looks pretty good. I recommend that you generate a random token when a user clicks the forgot password link. Store the token in your database together with an expiration date. The reset link in the e-mail should contain the token. The user can only reset their password if the token matches the one in the database, and when it hasn't expired yet. After the user successfully resets their password, you should remove the token from the database, so that the reset link can't be used a second time.
     
    Marco Canavese
    Ranch Hand
    Posts: 34
    2
    Eclipse IDE Java
    • Mark post as helpful
    • send pies
    • Quote
    • Report post to moderator
    Stephan van Hulst wrote:Hi Marco

    This looks pretty good. I recommend that you generate a random token when a user clicks the forgot password link. Store the token in your database together with an expiration date. The reset link in the e-mail should contain the token. The user can only reset their password if the token matches the one in the database, and when it hasn't expired yet. After the user successfully resets their password, you should remove the token from the database, so that the reset link can't be used a second time.


    Thanks Stephan,
    got it working as expected.
    Still need to implement token deletion from the db...I was wondering if it's a good practice even if I set a very short expiration time for its usage.
    Anyhow, I learned some new things developing this functionality and I'm happy to have done it.
    Cheers
     
    It is sorta covered in the JavaRanch Style Guide.
    • Post Reply Bookmark Topic Watch Topic
    • New Topic
    Boost this thread!