应用程序的密码恢复功能会发送一封电子邮件,其中包含指向用户设置新密码的页面的链接。如果不使用,此链接不会过期,这使得攻击者可以重新使用它以破坏帐户。如何让重置密码链接在24小时内向用户发送电子邮件到期?
有人能告诉我解决这个问题应采取的方法是什么?
package com.www.actions;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpSession;
import org.apache.commons.lang.StringUtils;
import org.apache.log4j.Logger;
import org.apache.struts2.ServletActionContext;
import com.lang.EncryptionUtil;
import com.www.crm.CrmUser;
import com.www.customer.dao.CustomerUtils;
import com.www.interceptors.SessionManager;
import com.www.services.AmsCustomerService;
import com.raleys.www.services.IAmsCustomerService;
public class PasswordUpdateAction extends BaseAction {
/** Comment for <code>serialVersionUID</code> */
private static final long serialVersionUID = 1L;
private final Logger logger = Logger.getLogger(PasswordUpdateAction.class);
private String password1 = null;
private String password2 = null;
private final SessionManager sessionManager;
public PasswordUpdateAction(SessionManager sessionManager) {
this.sessionManager = sessionManager;
}
@Override
public String execute() {
HttpServletRequest request = ServletActionContext.getRequest();
HttpSession session = ServletActionContext.getRequest().getSession();
IAmsCustomerService amsCustomerService = new AmsCustomerService();
CrmUser crmUser = this.sessionManager.getCrmUser(session);
if (crmUser == null) {
request.setAttribute("errorMsg", LOGIN_MSG);
request.setAttribute("sessionErrorMsg", LOGIN_MSG);
return ERROR;
}
if (StringUtils.isBlank(this.sessionManager.getCredentials(session))) {
request.setAttribute("errorMsg", LOGIN_MSG);
request.setAttribute("sessionErrorMsg", LOGIN_MSG);
return ERROR;
}
String errorMsg = null;
try {
errorMsg = validateForm();
if (StringUtils.isBlank(errorMsg)) {
String encryptedPassword = EncryptionUtil.encodePassword(getPassword1(), "MD5");
crmUser.setPassword(encryptedPassword.toUpperCase());
int success = amsCustomerService.updateCrmUserLocally(crmUser);
if (success == 1) {
request.setAttribute("successMsg", "Your Password Has Been Updated Successfully! ");
return SUCCESS;
} else {
this.logger.error("Error Updating crmUser in Local DB. ");
errorMsg = "Unexpected error occur while updating your password, please try again.";
}
}
} catch (Exception ex) {
this.logger.error("Error, " + ex.getMessage());
errorMsg = "Unexpected error occur while updating your password, please try again.";
}
request.setAttribute("errorMsg", errorMsg);
return ERROR;
}
private String validateForm() {
return CustomerUtils.validatePasswords(getPassword1(), getPassword2());
}
public String getPassword1() {
return this.password1;
}
public void setPassword1(String password1) {
this.password1 = password1;
}
public String getPassword2() {
return this.password2;
}
public void setPassword2(String password2) {
this.password2 = password2;
}
}
答案 0 :(得分:0)
保存链接过期的日期以及链接/链接键。当用户尝试使用该链接更改其密码时,请检查到期日期是否为将来。