问题
I am implementing Forgot Password scenario in an asp .net core 2.x application. I followed the default behavior
- Click forgot password link from login
- Enter email
- Send an email with a link /ResetPassword?code=[Some encoded string] ...etc
- Click the link and opens the Reset Password screen with an email, new password and confirm password.
All the above is Ok, and if the user attemps to click the link in step 3, the system will deny the request saying, Invalid Token!
I need to implement more couple, following the best practice.
- Deny the request or invalidate the token after a time period. i.e. 24 hours.
- Deny the request if the user attempts exceeds a threshold. i.e 3 times per day.
Any help? Thanks in Advance.
回答1:
#1 is already the case, though the default is more than 24 hours, I'm sure. If you want to change it:
services.Configure<DataProtectionTokenProviderOptions>(options =>
{
options.TokenLifespan = TimeSpan.FromDays(1);
});
#2 would require some custom development, as there's no built in way to limit the number of requests. In general, you would need to somehow persist the fact that a reset was submitted for a particular account at a particular time. Then, you can query that store to determine if there's been more than 3 such attempts for a particular account within your timeframe.
That said, it's probably not a good idea to implement that. If there is some sort of malicious activity occurring, you'll end up blocking the actual user's attempts to reset their password. If you're worried about a bot spamming the form, you'd be better off implementing a CAPTCHA and/or employing a web application firewall.
来源:https://stackoverflow.com/questions/50841665/invalidate-forgot-password-link-after-time-period-asp-net-core