On Thu, Sep 17, 2009 at 10:42 PM, Tauren Mills <[email protected]> wrote: > Thanks for the reply. So do you require that they re-enter the password to > validate the account? Or just the fact that the password hash matches is > good enough? Do you send these two things in the clear as query params, or
I don't typically require anything else - obviously you could if you needed the extra security. > do you URLencode them together? I've done both ways, in clear and lightly encoded together. But I mostly rely on these two things for security: account can only be activated if it's in locked state and that the link expires quickly. Kalle > On Thu, Sep 17, 2009 at 6:34 PM, Kalle Korhonen <[email protected]> > wrote: >> >> I simply send the password hash in the activation/password reset >> emails (I use the same mechanism for both) together with the email >> address/username. If account is locked and expired, user is allowed to >> activate it and is forced to choose a new password, after which I set >> the account back to enabled. Additionally, I set an expiration date - >> for activation cases it's obviously a fairly short period (e.g. 24h) >> but can be used to expire a regular password as well. >> >> Kalle >> >> >> On Thu, Sep 17, 2009 at 6:19 PM, Tauren Mills <[email protected]> wrote: >> > This might be a little off-topic, but I figured shiro users would have >> > experience or opinions on this. >> > >> > I'm looking for advice on creating an activation link that is emailed to >> > a >> > new user of a web site. In a previous small project I created a string >> > like >> > the following and then used a Base64 hash on it: >> > >> > username:datecreated:emailaddress:expiredate >> > >> > When a link with the hash is clicked, the values would be extracted and >> > used >> > to look up the account, verify that the date created and email address >> > match, and that the current date is before the expire date. If this all >> > matches, then the account would be activated. >> > >> > However, this isn't terribly secure. Anyone have advice on a better way >> > to >> > do this? Does shiro provide any encryption/decryption features that I >> > could >> > use to make it stronger? Are there recommended encryption tools I should >> > be >> > using for this? >> > >> > Lastly, I also need a forgot/reset password link for my current project >> > and >> > want to make it more secure as well. >> > >> > Thanks, >> > Tauren >> > >> > > >
