Kalle, Thanks for the reply. So do you require that they re-enter the password to validate the account? Or just the fact that the password hash matches is good enough? Do you send these two things in the clear as query params, or do you URLencode them together?
Tauren On Thu, Sep 17, 2009 at 6:34 PM, Kalle Korhonen <[email protected]>wrote: > I simply send the password hash in the activation/password reset > emails (I use the same mechanism for both) together with the email > address/username. If account is locked and expired, user is allowed to > activate it and is forced to choose a new password, after which I set > the account back to enabled. Additionally, I set an expiration date - > for activation cases it's obviously a fairly short period (e.g. 24h) > but can be used to expire a regular password as well. > > Kalle > > > On Thu, Sep 17, 2009 at 6:19 PM, Tauren Mills <[email protected]> wrote: > > This might be a little off-topic, but I figured shiro users would have > > experience or opinions on this. > > > > I'm looking for advice on creating an activation link that is emailed to > a > > new user of a web site. In a previous small project I created a string > like > > the following and then used a Base64 hash on it: > > > > username:datecreated:emailaddress:expiredate > > > > When a link with the hash is clicked, the values would be extracted and > used > > to look up the account, verify that the date created and email address > > match, and that the current date is before the expire date. If this all > > matches, then the account would be activated. > > > > However, this isn't terribly secure. Anyone have advice on a better way > to > > do this? Does shiro provide any encryption/decryption features that I > could > > use to make it stronger? Are there recommended encryption tools I should > be > > using for this? > > > > Lastly, I also need a forgot/reset password link for my current project > and > > want to make it more secure as well. > > > > Thanks, > > Tauren > > > > >
