我正在尝试创建一种更安全的方法来在没有任何框架的情况下使用Java Web和HSQLDB重设忘记的密码。
我创建了一个表单,用户可以在其中插入他的电子邮件,如果该电子邮件在数据库中,它将自动发送一封电子邮件,其中包含用于重置密码的链接。该链接具有一个特定的令牌,该令牌是在每个用户单击用于接收电子邮件的按钮时创建的。此令牌已插入数据库中,并且还创建了它的时间戳。
如果限制时间为5分钟,但我无法尝试从数据库中删除令牌,但是它不起作用。有什么办法吗?谢谢。
我的表格:
CREATE TABLE user (
id bigint identity NOT NULL,
username varchar(50) NOT NULL,
email varchar(50) NOT NULL,
password varchar(50) NOT NULL,
attempts int DEFAULT 3,
state varchar(50) DEFAULT 'Active’,
reset_token uuid,
time_token TIMESTAMP,
PRIMARY KEY (id)
);
The tokengenerator:
public class TokenGenerator {
public static String UniqueToken() {
String token = UUID.randomUUID().toString();
return token;
}}
我的班级ForgotPasswordHandler.java:
public class ForgotPasswordHandler {
private static PreparedStatement ps = null;
private static ResultSet rs = null;
private static Connection con = DBConnectionManager.getConnection();
//Creates a token for the user when it clicks on submit for forgot password
public static void CreateToken (String email) {
try
{
if (con == null){
System.out.println("Failed connection");
}else{
String token = TokenGenerator.UniqueToken();
PreparedStatement ps = con.prepareStatement(
"UPDATE user SET reset_token = ?, time_token = ? WHERE email = ?");
ps.setString(1,token);
ps.setTimestamp(2,new Timestamp(new Date().getTime()));
ps.setString(3, email);
ps.executeUpdate();
ps.close();
}}
catch (Exception e) {
e.printStackTrace(System.out);
}
}
//This is where I'm having trouble to delete the actual token after 5 minutes.
public static void DeleteToken() {
try
{
if (con == null){
System.out.println("Failed Connection");
}else{
PreparedStatement ps = con.prepareStatement(
"UPDATE user SET reset_token = NULL WHERE time_token < NOW() - INTERVAL 5 MINUTE");
ps.executeUpdate();
ps.close();
}}
catch (Exception e) {
e.printStackTrace(System.out);
}
}
}
我的Servlet ForgotPassword.java:
public class ForgotPassword extends HttpServlet {
private static final long serialVersionUID = 1L;
private String host;
private String port;
private String email;
private String name;
private String pass;
public void init() {
// reads SMTP server setting from web.xml file
ServletContext context = getServletContext();
host = context.getInitParameter("host");
port = context.getInitParameter("port");
email = context.getInitParameter("email");
name = context.getInitParameter("name");
pass = context.getInitParameter("pass");
}
protected void doPost(HttpServletRequest request, HttpServletResponse response) throws ServletException, IOException {
//verify if emails exists in db
String email = request.getParameter("email");
if(!UserReset.EmailCheck(email)) {
String message = "This email isn't in our database";
request.setAttribute("message", message);
request.getRequestDispatcher("reset.jsp").forward(request, response);
} else {
String recipient = request.getParameter("email");
String subject = "Your Password has been reset";
String token = TokenGenerator.UniqueToken();
ForgotPasswordHandler.CreateToken(email);
ForgotPasswordHandler.DeleteToken();
String url = "http://localhost:8080/login/reset-password.jsp?token=" + token;
UserReset.RefreshState(email);
//Builds email message and sends it
String content = "Hello, please change your password in this link:" + url;
content += "\nObrigado!";
String message = "";
try {
EmailSender.sendEmail(host, port, email, name, pass,
recipient, subject, content);
message = "Please verify your email.";
} catch (Exception ex) {
ex.printStackTrace();
message = "Ops, an error occured: " + ex.getMessage();
} finally {
request.setAttribute("message", message);
request.getRequestDispatcher("reset.jsp").forward(request, response);
}
}
}
}
您可能不应该主动删除令牌。只需记录令牌的发布时间,然后在出现新查询时,获取创建时间并检查它是否在5分钟之内。