我目前正在Java项目中实现忘记密码功能。我的方法是:
虽然我已经限制了重置密码页面中的“电子邮件地址”字段不可编辑(只读字段),但任何人都可以更改浏览器地址栏中的URL以更改电子邮件地址字段。
如何防止每个用户更改重置密码页面中的电子邮件地址?
在发送邮件之前,您必须使用令牌将其保存在数据库中:
email, token, expirationdatetoken ,服务器可以 识别用户,检查请求是否过期(通过 expirationdate),将正确的电子邮件地址放入框中,并要求用户更新密码。用户输入新密码,并且您必须向服务器提供令牌(在表单中 hidden field)和密码。服务器不关心电子邮件文本框,因为 凭借令牌,用户被严格识别expirationdate),检查密码是否匹配,如果一切正常,则保存新密码!服务器可以再次发送消息,以通知用户由于请求已更改密码。这真的很安全。请使用短时间设置 expirationdate(例如,5分钟对我来说是正确的),并使用强令牌(如 GUID,请参见注释)
UUID这样强大的令牌,以便他们不能轻易获取其他用户的令牌。 - Zhedar如果你必须自己实现忘记密码功能,我同意@clement提供的答案。这听起来是一种合理且安全的实现方式。
然而,作为替代方案,如果你不必自己实现它,我建议使用一个可以为你完成此操作的服务,比如Stormpath。
如果你决定使用Stormpath,在Java中触发该功能的代码将如下所示(使用Stormpath的Java SDK):
Account account = application.sendPasswordResetEmail("john.smith@example.com");
您的用户将收到一封带有以下链接的电子邮件:
http://yoursite.com/path/to/reset/page?sptoken=$TOKEN
然后,当用户单击链接时,您将像这样验证并重置密码:
Account account = application.resetPassword("$TOKEN", "newPassword");
如何操作的详细信息可在Stormpath的密码重置文档中找到。
采用这种方法,如果您有选择,则无需自己实现和维护功能。
注意:Stormpath已加入Okta。
<button> <a href="forgotpassword.jsp" style="text-decoration:none;">Forgot
Password</a></button>
以下是我的forgotpassword.jsp页面。
<form id="register-form" role="form" class="form" method="post"
action="mymail_fp.jsp">
<h3>Enter Your Email Below</h3>
<input id="email" name="email" placeholder="Email address" class="form-
control" type="email" required autofocus>
<input name="recover-submit" class="btn btn-lg btn-primary btn-block"
value="Get Password" type="submit">
</form>
邮件提交后,会被重定向到mymail_fp.jsp页面,我会在该页面将邮件发送给用户。
下面是mymail.jsp页面。
<%
mdjavahash md = new mdjavahash();
String smail =request.getParameter("email");
int profile_id = 0;
if(smail!=null)
{
try{
// Register JDBC driver
Class.forName("com.mysql.jdbc.Driver");
// Open a connection
Connection conn =
DriverManager.getConnection("jdbc:mysql://localhost:3306/infoshare", "root",
"");
Statement stmt = conn.createStatement();
String sql1;
sql1="SELECT email FROM profile WHERE email = '"+smail+"'";
ResultSet rs1=stmt.executeQuery(sql1);
if(rs1.first())
{
String sql;
sql = "SELECT Profile_id FROM profile where email='"+smail+"'";
ResultSet rs2 = stmt.executeQuery(sql);
// Extract data from result set
while(rs2.next()){
//Retrieve by column name
profile_id = rs2.getInt("Profile_id");
}
java.sql.Timestamp intime = new java.sql.Timestamp(new
java.util.Date().getTime());
Calendar cal = Calendar.getInstance();
cal.setTimeInMillis(intime.getTime());
cal.add(Calendar.MINUTE, 20);
java.sql.Timestamp exptime = new Timestamp(cal.getTime().getTime());
int rand_num = (int) (Math.random() * 1000000);
String rand = Integer.toString(rand_num);
String finale =(rand+""+intime); //
String hash = md.getHashPass(finale); //hash code
String save_hash = "insert into reset_password (Profile_id, hash_code,
exptime, datetime) values("+profile_id+", '"+hash+"', '"+exptime+"',
'"+intime+"')";
int saved = stmt.executeUpdate(save_hash);
if(saved>0)
{
String link = "http://localhost:8080/Infoshare/reset_password.jsp";
//bhagawat till here, you have fetch email and verified with the email
from
datbase and retrived password from the db.
//-----------------------------------------------
String host="", user="", pass="";
host = "smtp.gmail.com"; user = "example@gmail.com";
//"email@removed" // email id to send the emails
pass = "xxxx"; //Your gmail password
String SSL_FACTORY = "javax.net.ssl.SSLSocketFactory";
String to = smail;
String from = "example@gmail.com";
String subject = "Password Reset";
String messageText = " Click <a href="+link+"?key="+hash+">Here</a> To
Reset
your Password. You must reset your password within 20
minutes.";//messageString;
String fileAttachment = "";
boolean WasEmailSent ;
boolean sessionDebug = true;
Properties props = System.getProperties();
props.put("mail.host", host);
props.put("mail.transport.protocol.", "smtp");
props.put("mail.smtp.auth", "true");
props.put("mail.smtp.", "true");
props.put("mail.smtp.port", "465");
props.put("mail.smtp.socketFactory.fallback", "false");
props.put("mail.smtp.socketFactory.class", SSL_FACTORY);
Session mailSession = Session.getDefaultInstance(props, null);
mailSession.setDebug(sessionDebug);
Message msg = new MimeMessage(mailSession);
msg.setFrom(new InternetAddress(from));
InternetAddress[] address = {new InternetAddress(to)};
msg.setRecipients(Message.RecipientType.TO, address);
msg.setSubject(subject);
msg.setContent(messageText, "text/html");
Transport transport = mailSession.getTransport("smtp");
transport.connect(host, user, pass);
%>
<div class="alert success" style="padding: 30px; background-color: grey;
color: white; opacity: 1; transition: opacity 0.6s; width:50%; margin: 10%
5%
15% 20%;">
<a href="forgotpassword.jsp"> <span class="closebtn" style="color: white;
font-weight: bold; float: right; font-size: 40px; line-height: 35px; cursor:
pointer; transition: 0.3s;">×</span> </a>
<h1 style="font-size:30px;"> <strong>Check Your Email. Link To
Reset Your Password Is Sent To : <%out.println(" "+smail); %></strong>
</h1>
<center><a href="forgotpassword.jsp"><h2><input type="button" value="OK">
</h2></a></center>
</div>
<%
try {
transport.sendMessage(msg, msg.getAllRecipients());
WasEmailSent = true; // assume it was sent
}
catch (Exception err) {
WasEmailSent = false; // assume it's a fail
}
transport.close();
//-----------------------------------------------
}
}
else{
%>
<div class="alert success" style="padding: 30px; background-color: grey;
color: white; opacity: 1; transition: opacity 0.6s; width:50%; margin: 10%
5% 15% 20%;">
<a href="forgotpassword.jsp"> <span class="closebtn" style="color:
white; font-weight: bold; float: right; font-size: 40px; line-height: 35px;
cursor: pointer; transition: 0.3s;">×</span> </a>
<h1 style="font-size:30px;"> <strong>There Is No Email As
Such <%out.println(" "+smail); %></strong>Try Again </h1>
<center><a href="forgotpassword.jsp"><h2><input type="button"
value="OK"></h2></a></center>
</div>
<%
}
stmt.close();
rs1.close();
conn.close();
}catch(SQLException se){
//Handle errors for JDBC
se.printStackTrace();
}catch(Exception e){
//Handle errors for Class.forName
e.printStackTrace();
}
}
else{
%>
<div class="alert success" style="padding: 30px; background-color: grey;
color: white; opacity: 1; transition: opacity 0.6s; width:50%; margin: 10%
5% 15% 20%;">
<a href="forgotpassword.jsp"> <span class="closebtn" style="color: white;
font-weight: bold; float: right; font-size: 40px; line-height: 35px;
cursor:
pointer; transition: 0.3s;">×</span> </a>
<h1 style="font-size:30px;"> <strong>Please Enter The Valid
Email Address</strong> </h1>
<center><a href="forgotpassword.jsp"><h2><input type="button" value="OK">
</h2></a></center>
</div>
<%
}
%>
现在我所做的是,在向用户发送电子邮件之前,我会保存发送时间,过期时间,并从0到1000000生成随机数字并将其与发送时间连接起来加密。然后将它作为查询字符串发送到电子邮件中的链接中。因此,电子邮件将被发送,并且密码重置链接将与哈希密钥一起发送。现在当用户单击链接时,他们将被发送到reset_password.jsp页面,以下是reset_password.jsp页面。
<%
String hash = (request.getParameter("key"));
java.sql.Timestamp curtime = new java.sql.Timestamp(new
java.util.Date().getTime());
int profile_id = 0;
java.sql.Timestamp exptime;
try{
// Register JDBC driver
Class.forName("com.mysql.jdbc.Driver");
// Open a connection
Connection conn =
DriverManager.getConnection("jdbc:mysql://localhost:3306/infoshare", "root",
"");
Statement stmt = conn.createStatement();
String sql = "select profile_id, exptime from reset_password where
hash_code ='"+hash+"'";
ResultSet rs = stmt.executeQuery(sql);
if(rs.first()){
profile_id = rs.getInt("Profile_id");
exptime = rs.getTimestamp("exptime");
//out.println(exptime+"/"+curtime);
if((curtime).before(exptime)){
%>
<div class="container">
<form class="form-signin" action="update_reset.jsp" method="Post">
<br/><br/>
<h4 class="form-signin-heading">Reset Your Password Here</h4>
<br>
<text style="font-size:13px;"><span class="req"
style="color:red">* </span>Enter New Password</text>
<input type="password" id="inputPassword" name="newpassword"
class="form-control" placeholder="New Password" required autofocus>
<br>
<text style="font-size:13px;"><span class="req"
style="color:red">* </span>Enter New Password Again</text>
<input type="password" id="inputPassword" name="confirmpassword"
class="form-control" placeholder="New Password Again" required>
<input type="hidden" name="profile_id" value=<%=profile_id %>>
<br>
<button class="btn btn-lg btn-primary btn-block"
type="submit">Reset Password</button>
</form>
</div> <!-- /container -->
<% }
else{
%>
<div class="alert success" style="padding: 30px; background-color:
grey; color: white; opacity: 1; transition: opacity 0.6s; width:50%;
margin: 10% 5% 15% 20%;">
<a href="forgotpassword.jsp"> <span class="closebtn"
style="color: white; font-weight: bold; float: right; font-size: 40px;
line-height: 35px; cursor: pointer; transition: 0.3s;">×</span>
</a>
<h1 style="font-size:30px;"> The Time To Reset
Password Has Expired.<br> Try Again </h1>
<center><a href="forgotpassword.jsp"><h2><input type="button"
value="OK"></h2></a></center>
</div>
<%
}
}
else{
%>
<div class="alert success" style="padding: 30px; background-color: grey;
color: white; opacity: 1; transition: opacity 0.6s; width:50%; margin:
10% 5% 15% 20%;">
<a href="forgotpassword.jsp"> <span class="closebtn" style="color:
white; font-weight: bold; float: right; font-size: 40px; line-height:
35px; cursor: pointer; transition: 0.3s;">×</span> </a>
<h1 style="font-size:30px;"> The Hash Key DO Not Match.
<br/> Try Again!! </h1>
<center><a href="forgotpassword.jsp"><h2><input type="button"
value="OK"></h2></a></center>
</div>
<%
}
// Clean-up environment
rs.close();
stmt.close();
conn.close();
}catch(SQLException se){
//Handle errors for JDBC
se.printStackTrace();
}catch(Exception e){
e.printStackTrace();
}
%>
在这个页面中,我获取哈希键并与数据库哈希键进行比较,如果匹配,则获取过期时间并与当前时间进行比较。如果重置密码的时间尚未过期,则显示重置密码表单,否则抛出错误消息。如果时间未过期,则显示表单,当表单提交时,将重定向到update_reset.jsp,以下是我的update_reset.jsp页面。
<%
mdjavahash md = new mdjavahash();
String profile_id= request.getParameter("profile_id");
String np= request.getParameter("newpassword");
String cp = request.getParameter("confirmpassword");
//out.println(np +"/"+ cp);
if( np.equals(" ") || cp.equals(" ")){%>
<div class="alert success" style="padding: 30px; background-color: grey;
color: white; opacity: 1; transition: opacity 0.6s; width:50%; margin: 10%
5% 15% 20%;">
<a href="reset_password?profile_id=<%=profile_id%>"> <span
class="closebtn" style="color: white; font-weight: bold; float: right;
font-size: 40px; line-height: 35px; cursor: pointer; transition:
0.3s;">×</span> </a>
<h1 style="font-size:30px;"> Please Fill Both The Fields
</h1>
<center><a href="reset_password?profile_id=<%=profile_id%>""><h2><input
type="button" value="OK"></h2></a></center>
</div>
<% }
else if(!np.equals(cp)){
%>
<div class="alert success" style="padding: 30px; background-color: grey;
color: white; opacity: 1; transition: opacity 0.6s; width:50%; margin: 10%
5% 15% 20%;">
<a href="reset_password?profile_id=<%=profile_id%>"> <span
class="closebtn" style="color: white; font-weight: bold; float: right;
font-size: 40px; line-height: 35px; cursor: pointer; transition:
0.3s;">×</span> </a>
<h1 style="font-size:30px;"> The Two Passwords Do Not
Match. Try Again </h1>
<center><a href="reset_password?profile_id=<%=profile_id%>"><h2>
<input type="button" value="OK"></h2></a></center>
</div>
<%
}
else{
try{
// Register JDBC driver
Class.forName("com.mysql.jdbc.Driver");
// Open a connection
Connection conn =
DriverManager.getConnection("jdbc:mysql://localhost:3306/infoshare",
"root", "");
// Execute SQL query
Statement stmt = conn.createStatement();
stmt.executeUpdate("update profile set
password='"+md.getHashPass(np)+"' where Profile_id="+profile_id+"");
//response.sendRedirect("mainpage.jsp");
%>
<div class="alert success" style="padding: 30px; background-color:
grey; color: white; opacity: 1; transition: opacity 0.6s; width:65%;
margin: 10% 5% 15% 20%;">
<a href="login.jsp"> <span class="closebtn" style="color: white;
font-weight: bold; float: right; font-size: 40px; line-height: 35px;
cursor: pointer; transition: 0.3s;">×</span> </a>
<h1 style="font-size:30px;"> The Password Is
Successfully Reset.<br> Try Login With New
Password</h1>
<br><br><center><a href="login.jsp"><p style="font-size:20px">
<input type="button" style="width:40px; height:35px;"
value="OK"></p></a>
</center>
</div>
<%
stmt.close();
conn.close();
}catch(SQLException se){
//Handle errors for JDBC
se.printStackTrace();
}catch(Exception e){
//Handle errors for Class.forName
e.printStackTrace();
}
}
%>
在这个页面中,我首先验证字段,然后使用新密码更新数据库。虽然它很长,但它有效。我在这里使用了MD5加密技术,如果您想知道如何操作,请参考链接如何在JSP中使用JavaScript进行安全登录密码的MD5哈希?
您不能限制用户更改电子邮件地址。
即使您已经隐藏或将文本框设置为只读,也可以通过在浏览器中编辑源代码轻松更改电子邮件地址。
您可以提供带有重置链接的唯一随机字符串或令牌,并在单击重置密码链接或用户提交重置密码请求后通过检查请求中的电子邮件地址和令牌字符串与数据库中的电子邮件地址和令牌字符串的组合来检查电子邮件地址和令牌组合。
如果电子邮件地址存在于您的数据库中,那么说明电子邮件地址是有效的;否则,请给出消息说明电子邮件地址不存在于您的用户记录中。
注意:
如果您正在使用任何框架或简单的servlet,则最好提供链接,以便在显示重置密码表单之前验证电子邮件和令牌字符串。如果令牌字符串或电子邮件地址无效,则可以防止用户提交重置密码请求并在提交请求后进行验证。这比提交重置密码请求后进行验证更安全。
有两种常见的解决方案:
1. Creating a new password on the server and inform user from it.
2. Sending a unique URL to reset password.
第一种解决方案存在很多问题,不适合使用。以下是一些原因:
1. The new password which is created by server should be sent through an insecure channel (such as email, sms, ...) and resides in your inbox.
2. If somebody know the email address or phone number of a user who has an account at a website then then it is possible to reset user password.
- The reset url should be random, not something guessable and unique to this specific instance of the reset process.
- It should not consist of any external information to the user For example, a reset URL should not simply be a path such as “.../?username=Michael”.
- We need to ensure that the URL is loaded over HTTPS. No, posting to HTTPS is not enough, that URL with the token must implement transport layer
security so that the new password form cannot be MITM’d and the password the user creates is sent back over a secure connection.
- The other thing we want to do with a reset URL is setting token's expiration time so that the reset process must be completed within a certain duration.
- The reset process must run once completely. So, Reset URL can not be appilicable if the reset process is done completely once.