Invalidate “Forgot Password” link after time period asp net core

假装没事ソ 提交于 2020-07-23 07:42:13

问题


I am implementing Forgot Password scenario in an asp .net core 2.x application. I followed the default behavior

  1. Click forgot password link from login
  2. Enter email
  3. Send an email with a link /ResetPassword?code=[Some encoded string] ...etc
  4. Click the link and opens the Reset Password screen with an email, new password and confirm password.

All the above is Ok, and if the user attemps to click the link in step 3, the system will deny the request saying, Invalid Token!

I need to implement more couple, following the best practice.

  1. Deny the request or invalidate the token after a time period. i.e. 24 hours.
  2. Deny the request if the user attempts exceeds a threshold. i.e 3 times per day.

Any help? Thanks in Advance.


回答1:


#1 is already the case, though the default is more than 24 hours, I'm sure. If you want to change it:

services.Configure<DataProtectionTokenProviderOptions>(options =>
{
    options.TokenLifespan = TimeSpan.FromDays(1);
});

#2 would require some custom development, as there's no built in way to limit the number of requests. In general, you would need to somehow persist the fact that a reset was submitted for a particular account at a particular time. Then, you can query that store to determine if there's been more than 3 such attempts for a particular account within your timeframe.

That said, it's probably not a good idea to implement that. If there is some sort of malicious activity occurring, you'll end up blocking the actual user's attempts to reset their password. If you're worried about a bot spamming the form, you'd be better off implementing a CAPTCHA and/or employing a web application firewall.



来源:https://stackoverflow.com/questions/50841665/invalidate-forgot-password-link-after-time-period-asp-net-core

易学教程内所有资源均来自网络或用户发布的内容,如有违反法律规定的内容欢迎反馈
该文章没有解决你所遇到的问题?点击提问,说说你的问题,让更多的人一起探讨吧!