Configure storefront Reset Password feature to use validation codes
Some stores are configured to generate an arbitrary temporary password for a registered user when the user requests to reset a forgotten password. For added security, we can configure the Reset Password URL to send a randomly generated validation code instead of a temporary password. Validation codes are generated and used as follows:
- A registered user clicks Forgot Password. After the user answers a challenge question correctly, a validation code is emailed to the user. The user then enters the validation code and a new password to update their password. As a security measure, the validation code must be used in the same session that was used to answer the challenge question. Furthermore, the validation code is only valid for the time frame specified in ResetPasswordGuestCmdImpl.getExpiryPeriod(), which is 30 minutes by default. Otherwise, the validation code expires.
- An administrator requests a password reset on behalf of a registered user. A validation code is emailed to the user. The user must follow the link that is supplied in the email and enter the validation code, new password, and verify password to change the account password.
Note: Validation codes include encrypted information about the session. Therefore, their length cannot be shorted. To update the Reset Password feature to generate validation codes instead of temporary passwords, update the CMDREG database table.
Procedure
- Update the CMDREG database table to enable validation codes.
update cmdreg set properties='validationCode=true' where interfacename ='com.ibm.commerce.security.commands.ResetPasswordGuestCmd'; update cmdreg set properties ='validationCode=true' where interfacename ='com.ibm.commerce.security.commands.ResetPasswordAdministratorCmd'; update cmdreg set properties ='validationCode=true' where interfacename ='com.ibm.commerce.security.commands.ResetPasswordCmd';
- Modify store JSP files as necessary. For an example of a Validation Code page, see the Aurora starter store Forgot Password, Enter Validation Code, and Change Password pages.
- Restart the server or update the CMDREG registry in the Administration Console.
Related concepts
Member subsystem
Related reference
ResetPassword URL
Member subsystem URLs
AdminResetPassword URL
Shopping flow URLs