使“忘记密码"无效.一段时间后的链接asp net core [英] Invalidate "Forgot Password" link after time period asp net core
问题描述
我正在ASP.NET Core 2.x应用程序中实现忘记密码"方案.我遵循了默认行为
I am implementing Forgot Password scenario in an asp .net core 2.x application. I followed the default behavior
- 单击登录名中的忘记密码链接
- 输入电子邮件
- 发送带有链接/ResetPassword?code = [某些编码字符串]的电子邮件...等
- 单击链接,然后打开带有电子邮件的重置密码"屏幕,新密码并确认密码.
以上所有操作都可以,如果用户尝试在步骤3中单击链接,则系统将拒绝该请求,说无效令牌!".
All the above is Ok, and if the user attemps to click the link in step 3, the system will deny the request saying, Invalid Token!
按照最佳实践,我需要实施更多对操作.
I need to implement more couple, following the best practice.
- 在一段时间后拒绝请求或使令牌无效.即24小时.
- 如果用户尝试超过阈值,则拒绝该请求.即每天3次.
有帮助吗?预先感谢.
推荐答案
#1已经存在,尽管默认时间超过24小时.如果要更改它:
#1 is already the case, though the default is more than 24 hours, I'm sure. If you want to change it:
services.Configure<DataProtectionTokenProviderOptions>(options =>
{
options.TokenLifespan = TimeSpan.FromDays(1);
});
#2将需要进行一些自定义开发,因为没有内置的方式来限制请求的数量.通常,您需要以某种方式坚持这样一个事实,即在特定时间为特定帐户提交了重置.然后,您可以查询该存储,以确定在您的时间范围内针对特定帐户进行的此类尝试是否超过3次.
#2 would require some custom development, as there's no built in way to limit the number of requests. In general, you would need to somehow persist the fact that a reset was submitted for a particular account at a particular time. Then, you can query that store to determine if there's been more than 3 such attempts for a particular account within your timeframe.
也就是说,实现它可能不是一个好主意.如果发生某种恶意活动,您将最终阻止实际用户重设其密码的尝试.如果您担心机器人会向表单发送垃圾邮件,则最好实施CAPTCHA和/或使用Web应用程序防火墙.
That said, it's probably not a good idea to implement that. If there is some sort of malicious activity occurring, you'll end up blocking the actual user's attempts to reset their password. If you're worried about a bot spamming the form, you'd be better off implementing a CAPTCHA and/or employing a web application firewall.
这篇关于使“忘记密码"无效.一段时间后的链接asp net core的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
