tags:

views:

73

answers:

2
Q: 

How can I 'expire' a change password unique code in a database record?

Hi,

I want to implement a forgot password function in my java web application. I want to implement it like this:

  1. User enters their account email address and presses 'forgot password' button
  2. App generates a unique code of characters and numbers and sends a link with that as a parameter to the user's email address
  3. User clicks the link and they are presented with a form where they can enter their new password

What I want to do is ensure that the link (i.e. the unique code) 'expires' an hour after the user presses the forgot password button so that if an attacker gains access to their email account this link won't work unless they gain access in that first hour.

I don't know how to make the database 'expire' or clear the code for the user's account record. How could I implement this?

Thanks!

A: 

You store the date in the database that the unique code was generated. When the user clicks on the link, if it is more than the allowed time since the unique code was generated, you do not let them change the password.

RedFilter  2010-04-16 15:46:58
+3  A: 

Add a ValidUntil column to the table containing the code and check against that before letting the user change the password.

klausbyskov  2010-04-16 15:47:17
I find it better to store the date the code was generated because a) you can easily change the allowed time without having to update existing data in the database, and b) during testing, you can simulate the time being exceeded by changing the vlaue of allowed time in your code, rather than having to mess around with data in the database.
RedFilter  2010-04-16 15:50:05
@OrbMan, I agree with a) and I don't think this comment box allows enough text for me to explain why I don't think b) applies.
klausbyskov  2010-04-16 15:55:45
Cool, nice simple solution - feel a bit silly now :)
Annie  2010-04-16 15:59:17

related questions

What language do you use for Postgresql triggers and stored procedures?
Are Multiple DataContext classes ever appropriate?
Which tools do people use to create Data Dictionaries?
Any experiences with Protocol Buffers?
Mechanisms for tracking DB schema changes
How big can a MySQL database get before performance starts to degrade.
How do I index a database field
How does database indexing work?
How do I connect to a database and loop over a recordset in C#?
Editing database records by multiple users
Object Oriented vs Relational Databases
VFP .NET OLEdb provider does not work in Win 64-Bits. Help
Embedded Database for .net that can run off a network
Connect PHP to an AS/400
Swap unique indexed column values in database.
cx_Oracle - what is the best way to iterate over a result set?
cx_Oracle - How do I access Oracle from Python?
.NET Migrations Engine
Is there a version control system for database structure changes?
SQLite and XSD
How do I version my MS SQL database in SVN?
XSD DataSets and ignoring foreign keys
Flat File Databases in PHP
Throw Error In MySQL Trigger
Binary Data in MySQL