I simply send the password hash in the activation/password reset emails (I use the same mechanism for both) together with the email address/username. If account is locked and expired, user is allowed to activate it and is forced to choose a new password, after which I set the account back to enabled. Additionally, I set an expiration date - for activation cases it's obviously a fairly short period (e.g. 24h) but can be used to expire a regular password as well.
Kalle On Thu, Sep 17, 2009 at 6:19 PM, Tauren Mills <[email protected]> wrote: > This might be a little off-topic, but I figured shiro users would have > experience or opinions on this. > > I'm looking for advice on creating an activation link that is emailed to a > new user of a web site. In a previous small project I created a string like > the following and then used a Base64 hash on it: > > username:datecreated:emailaddress:expiredate > > When a link with the hash is clicked, the values would be extracted and used > to look up the account, verify that the date created and email address > match, and that the current date is before the expire date. If this all > matches, then the account would be activated. > > However, this isn't terribly secure. Anyone have advice on a better way to > do this? Does shiro provide any encryption/decryption features that I could > use to make it stronger? Are there recommended encryption tools I should be > using for this? > > Lastly, I also need a forgot/reset password link for my current project and > want to make it more secure as well. > > Thanks, > Tauren > >
