• Post Reply Bookmark Topic Watch Topic
  • New Topic
programming forums Java Mobile Certification Databases Caching Books Engineering Micro Controllers OS Languages Paradigms IDEs Build Tools Frameworks Application Servers Open Source This Site Careers Other Pie Elite all forums
this forum made possible by our volunteer staff, including ...
Marshals:
  • Campbell Ritchie
  • Jeanne Boyarsky
  • Ron McLeod
  • Paul Clapham
  • Liutauras Vilda
Sheriffs:
  • paul wheaton
  • Rob Spoor
  • Devaka Cooray
Saloon Keepers:
  • Stephan van Hulst
  • Tim Holloway
  • Carey Brown
  • Frits Walraven
  • Tim Moores
Bartenders:
  • Mikalai Zaikin

Forgot password functionality

 
Ranch Hand
Posts: 34
2
Eclipse IDE Java
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
I'd like to implement a forgot password functionality for my very first jsp/servlet application.

Here below there are the logic steps I'd think to follow in order to implment it:

  • 1) User clicks the forgot password link within the login page of the application.
  • 2) In the forgot password page, the application asks the user to enter the email address used to register to the system.
  • 3) The application verify that the email address is valid.
  • 4) The application sends out an Email to the specified address with reset instructions (details to be designed).
  • 5) The user clicks on the link provided in the email and gets redirected to a page where can enter (and confirm) his new password.
  • 6) The application checks that new password matches confirm password and updates the appropriate field in the database.


  • Could you kindly give me a feedback whether there is some evident flaw with this approach or not?
    And some hints especially on how to implement step 4 would be very appreciated, taking into account that I'd like to implement something effective from a security perspective (not because the application manages sensitive data but because information security is a field where I have great interest, so secure code is always better than simply code).

    Thanks a lot.
    Marco
     
    Saloon Keeper
    Posts: 15484
    363
    • Mark post as helpful
    • send pies
      Number of slices to send:
      Optional 'thank-you' note:
    • Quote
    • Report post to moderator
    Hi Marco

    This looks pretty good. I recommend that you generate a random token when a user clicks the forgot password link. Store the token in your database together with an expiration date. The reset link in the e-mail should contain the token. The user can only reset their password if the token matches the one in the database, and when it hasn't expired yet. After the user successfully resets their password, you should remove the token from the database, so that the reset link can't be used a second time.
     
    Marco Canavese
    Ranch Hand
    Posts: 34
    2
    Eclipse IDE Java
    • Mark post as helpful
    • send pies
      Number of slices to send:
      Optional 'thank-you' note:
    • Quote
    • Report post to moderator

    Stephan van Hulst wrote:Hi Marco

    This looks pretty good. I recommend that you generate a random token when a user clicks the forgot password link. Store the token in your database together with an expiration date. The reset link in the e-mail should contain the token. The user can only reset their password if the token matches the one in the database, and when it hasn't expired yet. After the user successfully resets their password, you should remove the token from the database, so that the reset link can't be used a second time.



    Thanks Stephan,
    got it working as expected.
    Still need to implement token deletion from the db...I was wondering if it's a good practice even if I set a very short expiration time for its usage.
    Anyhow, I learned some new things developing this functionality and I'm happy to have done it.
    Cheers
     
    reply
      Bookmark Topic Watch Topic
    • New Topic