使“忘记密码"无效一段时间后的链接asp net core [英] Invalidate "Forgot Password" link after time period asp net core

问题描述

我正在ASP.NET Core 2.x应用程序中实现忘记密码"方案.我遵循了默认行为

I am implementing Forgot Password scenario in an asp .net core 2.x application. I followed the default behavior

1. 单击登录名中的忘记密码链接
2. 输入电子邮件
3. 发送带有链接/ResetPassword?code = [某些编码字符串]的电子邮件 ...等
4. 单击链接，然后打开带有电子邮件的重置密码"屏幕， 新密码并确认密码.

1. Click forgot password link from login
2. Enter email
3. Send an email with a link /ResetPassword?code=[Some encoded string] ...etc
4. Click the link and opens the Reset Password screen with an email, new password and confirm password.

以上所有操作都可以，如果用户在步骤3中尝试单击链接，则系统将拒绝该请求，说无效令牌！".

All the above is Ok, and if the user attemps to click the link in step 3, the system will deny the request saying, Invalid Token!

按照最佳实践，我需要实施更多对操作.

I need to implement more couple, following the best practice.

1. 在一段时间后拒绝请求或使令牌无效.即24小时.
2. 如果用户尝试超过阈值，则拒绝该请求.即每天3次.

有帮助吗? 预先感谢.

Any help? Thanks in Advance.

推荐答案

#1已经存在，尽管默认时间超过24小时.如果要更改它:

#1 is already the case, though the default is more than 24 hours, I'm sure. If you want to change it:

services.Configure<DataProtectionTokenProviderOptions>(options =>
{
    options.TokenLifespan = TimeSpan.FromDays(1);
});

#2将需要进行一些自定义开发，因为没有内置的方式来限制请求的数量.通常，您需要以某种方式坚持这样一个事实，即在特定时间为特定帐户提交了重置.然后，您可以查询该存储，以确定在您的时间范围内针对特定帐户进行的此类尝试是否超过3次.

#2 would require some custom development, as there's no built in way to limit the number of requests. In general, you would need to somehow persist the fact that a reset was submitted for a particular account at a particular time. Then, you can query that store to determine if there's been more than 3 such attempts for a particular account within your timeframe.

也就是说，实现它可能不是一个好主意.如果发生某种恶意活动，您将最终阻止实际用户重设其密码的尝试.如果您担心机器人会向表单发送垃圾邮件，则最好实施CAPTCHA和/或使用Web应用程序防火墙.

That said, it's probably not a good idea to implement that. If there is some sort of malicious activity occurring, you'll end up blocking the actual user's attempts to reset their password. If you're worried about a bot spamming the form, you'd be better off implementing a CAPTCHA and/or employing a web application firewall.

这篇关于使“忘记密码"无效一段时间后的链接asp net core的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！