Configuring storefront Reset Password feature to use validation codes
Some stores are configured to generate an arbitrary temporary password for a registered user when the user requests to reset a forgotten password. For added security, you can configure the Reset Password URL to send a randomly generated validation code instead of a temporary password.
Validation codes are generated and used as follows:
- A registered user clicks Forgot Password. After the user answers a
challenge question correctly, a validation code is emailed to the user. The user then enters the
validation code and a new password to update their password. As a security measure, the validation
code must be used in the same session that was used to answer the challenge question. Furthermore,
the validation code is only valid for the time frame that is specified in
ResetPasswordGuestCmdImpl.getExpiryPeriod(), which is 30 minutes by default. Otherwise, the validation code expires. - An administrator requests a password reset on behalf of a registered user. A validation code is emailed to the user. The user must follow the link that is supplied in the email and enter the validation code, new password, and verify password to change the account password.
Note: Validation codes include encrypted information about the session. Therefore, their length
cannot be shorted.
To update the Reset Password feature to generate
validation codes instead of temporary passwords, update the CMDREG database
table.