I am currently implementing a forgot password function in a Java project. my methodology is,
Although I have restricted the email address
field in the reset password page from editing (a read only field) any one can alter the url in the address bar of the browser and change the email address field.
How Do I restrict every user from altering the email address in the reset password page?
You have to save it in DB before sending email by using token:
email
, token
, expirationdate
token
in the Url, server can identify the user
, check if request is not expired thanks to expirationdate, put right email into the box, and ask for password renewal. User type new passwords and you have to give the token (hidden field
in the form) + passwords to the server. Server don't care about the textbox for the email because with the token, user is identified strongly
expirationdate
(again), check if password match
and if all is ok, save new password! Server can send again message in order to inform user that password has been changed due to the request.This is really safe. Please use short time for the expirationdate
to improove the security (for instance 5 minutes is correct for me) and use strong token (as GUID, see comments)