Implementing forgot password functionality in Java

vigamage picture vigamage · Dec 5, 2014 · Viewed 48.9k times · Source

I am currently implementing a forgot password function in a Java project. my methodology is,

  1. User clicks the forgot password link.
  2. In the forgot password page, system prompts the user to enter the email address he/she has registered in to the system.
  3. An email which contains a link to reset the password is sent to the given email address in step above.
  4. User clicks the link and he/she get redirected to a page(reset password) where user can enter his new password.
  5. In Reset Password page, the field "email address" is filled automatically and it cannot be changed.
  6. Then user enter his new password and the field related to the email address in the database is updated.

Although I have restricted the email address field in the reset password page from editing (a read only field) any one can alter the url in the address bar of the browser and change the email address field.

How Do I restrict every user from altering the email address in the reset password page?

Answer

clement picture clement · Dec 5, 2014

You have to save it in DB before sending email by using token:

  1. When user click on "send me a email with reset instructions", you create one record in DB with those fields: email, token, expirationdate
  2. User receive email with yourwwebsite.com/token and click on it
  3. With the token in the Url, server can identify the user, check if request is not expired thanks to expirationdate, put right email into the box, and ask for password renewal. User type new passwords and you have to give the token (hidden field in the form) + passwords to the server. Server don't care about the textbox for the email because with the token, user is identified strongly
  4. Then server check if token still valid with expirationdate (again), check if password match and if all is ok, save new password! Server can send again message in order to inform user that password has been changed due to the request.

This is really safe. Please use short time for the expirationdate to improove the security (for instance 5 minutes is correct for me) and use strong token (as GUID, see comments)