如何设置密码重置链接在24小时内过期而不是到期

时间:2015-02-28 01:06:39

标签: java passwords

应用程序的密码恢复功能会发送一封电子邮件,其中包含指向用户设置新密码的页面的链接。如果不使用,此链接不会过期,这使得攻击者可以重新使用它以破坏帐户。如何让重置密码链接在24小时内向用户发送电子邮件到期?

有人能告诉我解决这个问题应采取的方法是什么?

package com.www.actions;       

import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpSession;
import org.apache.commons.lang.StringUtils;
import org.apache.log4j.Logger;
import org.apache.struts2.ServletActionContext;
import com.lang.EncryptionUtil;
import com.www.crm.CrmUser;
import com.www.customer.dao.CustomerUtils;
import com.www.interceptors.SessionManager;
import com.www.services.AmsCustomerService;
import com.raleys.www.services.IAmsCustomerService;

public class PasswordUpdateAction extends BaseAction {

    /** Comment for <code>serialVersionUID</code> */
    private static final long serialVersionUID = 1L;
    private final Logger logger = Logger.getLogger(PasswordUpdateAction.class);
    private String password1 = null;
    private String password2 = null;
    private final SessionManager sessionManager;

    public PasswordUpdateAction(SessionManager sessionManager) {
        this.sessionManager = sessionManager;
    }

    @Override
    public String execute() {
        HttpServletRequest request = ServletActionContext.getRequest();
        HttpSession session = ServletActionContext.getRequest().getSession();
        IAmsCustomerService amsCustomerService = new AmsCustomerService();

        CrmUser crmUser = this.sessionManager.getCrmUser(session);
        if (crmUser == null) {
            request.setAttribute("errorMsg", LOGIN_MSG);
            request.setAttribute("sessionErrorMsg", LOGIN_MSG);
            return ERROR;
        }
        if (StringUtils.isBlank(this.sessionManager.getCredentials(session))) {
            request.setAttribute("errorMsg", LOGIN_MSG);
            request.setAttribute("sessionErrorMsg", LOGIN_MSG);
            return ERROR;
        }

        String errorMsg = null;

        try {
            errorMsg = validateForm();
            if (StringUtils.isBlank(errorMsg)) {

                String encryptedPassword = EncryptionUtil.encodePassword(getPassword1(), "MD5");

                crmUser.setPassword(encryptedPassword.toUpperCase());

                int success = amsCustomerService.updateCrmUserLocally(crmUser);

                if (success == 1) {
                    request.setAttribute("successMsg", "Your Password Has Been Updated Successfully! ");
                    return SUCCESS;
                } else {
                    this.logger.error("Error Updating crmUser in Local DB. ");
                    errorMsg = "Unexpected error occur while updating your password, please try again.";
                }

            }

        } catch (Exception ex) {
            this.logger.error("Error, " + ex.getMessage());
            errorMsg = "Unexpected error occur while updating your password, please try again.";
        }

        request.setAttribute("errorMsg", errorMsg);
        return ERROR;
    }

    private String validateForm() {
        return CustomerUtils.validatePasswords(getPassword1(), getPassword2());
    }

    public String getPassword1() {
        return this.password1;
    }

    public void setPassword1(String password1) {
        this.password1 = password1;
    }

    public String getPassword2() {
        return this.password2;
    }

    public void setPassword2(String password2) {
        this.password2 = password2;
    }
} 

1 个答案:

答案 0 :(得分:0)

保存链接过期的日期以及链接/链接键。当用户尝试使用该链接更改其密码时,请检查到期日期是否为将来。