I send a link as email to the users asking them to reset the password. Clicking on the link redirects to a page in my project. How can I set the expiration time for this link to 24 hours, and how do I know if this link is not re-used again? Whats the best way to do this?
Thanks
I dont know how your process looks like but the recommend way is to use a guid to identify the
passwort reset process.
This is how a process should look like.
Create a database table with the userId, createDate, closeDate, and a guid
Create a new entry in the table
Send the mail with a link to your page that has the uuid from the entry
If the user enters the page (clicks the link) you check if the process is still open (closeDate is null)
Check if the createDate is within the last 24 hours
User can change password
You set the closeDate
store email sent date&time in the database(where your maintaning userdetails) .
when your are open link for reset password capture present date. compare both date&time values . they you can procced. may this helps you.
I have an idea
Create a Time.now() and encrypt this using encryption and attach with your link
Send using Email and other option
go to the link page
write code on page load Request the sent encrypted Date Time and decipher it
match time if time is over then send to an error page else continue
Like -:- http://Yourhost/foldername.aspx?val=encryptedTimeDate
Related
In some webpages or views, I have information displayed in table. Column values are rendered as links.
Problems:
When I hover over the link, it's URL is visible at the bottom of browser.
When I click on link, I show information for the resource requested in URL. (www.someurl.com/Employee/67 gives me information of employee with id = 67).
Now, this URL is displayed in browser. If you change URL to www.someurl.com/Employee/88, it shows information of employee with id = 88 though the logged in user is not supposed to see information for employee id 88
This are serious security breaches.
I am thinking of following as possible solutions:
URL masking at application level
Base64 encoding of URL to shorten and obfuscate it, so that users can't just throw values in the URL.
#Html.AntiForgeryToken() and ValidateAntiForgeryTokenValidation mechanism
Is there better and more secure approach other than above to solve this issue?
Check in Controller serving www.someurl.com/Employee/88 if currently authenticated user has access to Employee with ID 88 and throw exception if he does not - no need to mask url.
If the user is not supposed to be able to see the employee with the id of 88 then they should not be able to see the information for the employee with id 88. The URL is more or less irrelevant and is in your case only giving them an obvious clue as to how to gain unauthorised access to data in your system.
You need a proper security plan where data is only served from the database to the UI via the business layer if the logged in user if authorised to see that data.
Here is my idea about your first approach security breach:
Mix your id with some GUID or complex structure while sending it, and when you receive it, took out your id from this and then proceed. [ Your masking idea]
I need to force users to change password at least every 30 days. How to start with it? I noted in database that table users has column credentials_expire_at and when it's set to past date such an user can't login and I thought of allowing password change in login form when message of expiration detected.
You need to do it in this way:
Create EventListener to onSecurityInteractiveLogin event
Check the date
If it fails redirect to change password form
Look at this coderwall protip: http://coderwall.com/p/cfmbaq
In my project i have created a site from where my users or clients can send some documents to other users.
I also want to see if the recepient has read the mail/has the mail been sent.
Now i want to store the value of the result ie either "Sent" in case the mail has been successfully delivered. And "Viewed" when the mail has been opnened or read by the recepient.
I have done this code
MailMessage mailme = new MailMessage();
mailme.DeliveryNotificationOptions = DeliveryNotificationOptions.OnSuccess;
As i said above i want to store the value "Sent" or "Viewed" inside a string. Further ill store the values inside my tables.
How do i get the desired result. Basically i need to get the delivery report and report if the mail has been viewed.
Also i want to get the date as well as time when the mail was viewed by the recepient.
Thank you.
You might be looking for this:
mailme.Headers.Add("Disposition-Notification-To", "yourmail#mail.com");
where "yourmail#mail.com" should get a mail if the mail was read.
I am kind of new to ASP.NET.
I wonder is there any way to restrict user can only enter from a specify page?
Like, I have a Page A to let them enter some information, then when submit, I will use Response.Redirect to Page B. But I don't want the user can go into Page B directly from URL....
If I use Session, then if the user didn't close the browser to end the session, the another user can just go into Page B directly...
Because the computer that access to these pages is using by the public, so I want to see if there is anyway to make sure they only do one way process? Can't go back to previous or jump to another page.
Thanks in Advance.
If you control the other page, start a session and set a session variable to a value that can be reversed that only your server could (or should) create, much like serial keys. For example 72150166 because the sum of every second number equals the sum of every other number (7 + 1 + 0 + 6 = 2 + 5 + 1 + 6) but you could choose an algorithm as complex or as simple as you want. When the user navigates to the second page, check the session variable. This is not invincible security, but it is better than checking the referrer (especially since some browsers do not set it) and I imagine security based on coming from a certain page doesn't have to be that strict.
Edit: You should also add it to a database and link it with the particular user's IP so someone else can't use the same key.
You can use Request.UrlReferrer property in the Page Load of PageB to see which page is the request coming from. If the request is not coming from PageA then redirect the user to PageA.
Check this link for more information: http://msdn.microsoft.com/en-us/library/system.web.httprequest.urlreferrer.aspx
Note: UrlReferrer is dependent on a request header and someone can set the header to mimic the request coming from PageA.
You could have the page that redirects send some sort of specifically generated hash/key in the query string that expires quickly and/or once viewed. This should be a lot more solid on the security side.
You will still need some way to store this key or value producing the hash so you can validate it on the receiving end- I would think your DB.
For a Web Application I'd like to generate an email validation link and send it to the user. Like on many public websites, the user should click it to validate his email address. Looks similar to this:
http://www.foo.bar/validation?code=421affe123j4h141k2l3bjkbf43134kjbfkl34bfk3b4fkjb43ffe
Can anybody help me with some hints about the proper generation of those validation tokens? Googling best practices turned out to be more difficult than I though it would be. The links should:
... not require the user to log in first.
... not reveal any login credentials to keep the application secure
... allow me as a developer to efficiently validate the token. I'm pretty sure I need a way to extract the user identifier out of the code to meet this criteria. Don't I?
Furthermore, would you go for a random code, which is saved somewhere, or a generated code which I can recalculate for validation?
Thanks for any replies!
Matthias
P.S. I'm working with ASP.NET 3.5, in case there's an out-of-the-box feature to perform this.
Some suggestions to get you started:
Use GUIDs
Use some sort of salted hash (MD5, SHA1, etc)
Use a random string of characters (the more characters the less likely you'll have collisions)
Store it in a database temporarily, and timestamp it so that it expires after a certain period of time
The simplest way to do it is generate a GUID, store that in the database tying it to their user account and then give them a time-frame within which to click a link with that GUID in.
That validates they are the correct person without making the URL calculable whilst making it resistant to dictionary style attacks.
I construct the hash in a way that can be re-created:
code = MD5( my_hash + user_email + register_timestamp )
Then send a link to http://example.com/validation/?code = 4kj34....
Validation does a lookup like:
SELECT id
FROM users
WHERE
MD5( CONCAT( my_hash, user_email, register_timestamp ) ) = code
AND activated = 0
If you get a single result, update their 'activated' field and sign them in. You can also do some math on their 'register_timestamp' field for a poor man's TTL
I would probably use a Guid. Just create a Guid (by calling Guid.NewGuid()), store it as the validation token for that user, and include it in the validation link.