I'm working on a web app that involves a login procedure. More specifically, the procedure for resetting forgotten passwords. When a user goes to the Login.jsp page and has forgotten their password, they can click on the link that is labelled "Forgot Password?". When they click on the link, they are sent to another page where they enter their email address and click submit. The email address is sent via POST to a servlet that finds the record in the database that coincides with the email address and sets a TimeStamp field and another field that will contain a special String token. The servlet also sends an email to the user with instructions.
An additional thing I wanted the servlet to do is initialize a new Thread that performs a check in one hour by sending the following UPDATE query to the database:
UPDATE users SET pwd_reset_timestamp=null, pwd_special_token=null WHERE users.uid = 7 AND TIMESTAMPDIFF(MINUTE,pwd_reset_timestamp,NOW()) > 60;
The instructions sent to the user stipulate that they have one hour to return to the website and reset their password. If they fail to do so, the Thread will reset the timestamp and token fields back to null.
That is how I originally envisioned the procedure. But I'm wondering if creating a new Thread inside a servlet is a wise thing to do? Once the Servlet has completed, will the Thread still be alive to do its job in one hour? Is there a better mechanism available that can perform the task within the time frame specified?
From an architectural perspective, I'd recommend using something like a job scheduling API. Quartz, for example, is the one I generally use for such purposes. If you really want to spawn new threads in a Servlet, you might want to go the thread pool route and use something like the ExecutorService to do so.
I don't understand the need for the thread at all. Just timestamp the entry and if they try to access it more than hour after the timestamp, simply refuse to honor the process. There's really no need to actively run anything after the hour is up.
Bear Bibeault wrote:I don't understand the need for the thread at all. Just timestamp the entry and if they try to access it more than hour after the timestamp, simply refuse to honor the process. There's really no need to actively run anything after the hour is up.
Good point Bear. I had stuck in my head the way that I generally approach this and it is with a ChangePasswordPending structure that I need to purge on some timed basis. But for the OP's problem, just checking the timestamp on request and denying the request then and doing cleanup would work great.
Thanks for the input guys. Getting your perspectives on the problem certainly helps. Gregg, I wasn't aware of the Quartz library and found it quite interesting. It may come in handy for a future project, but I think Bear is on a better track. For this particular project I'll just refuse to honor the process if they're too late, and return a message that states they need to begin again from the start.