Configuring Reset Password to use long validation codes

When a registered user requests a reset of a forgotten password, you can configure the Reset Password URL to send a randomly generated validation code instead of a temporary password. By default, this code can be up to 100 characters long.

Validation codes are generated and used in the following circumstances:
  • A registered user enters their login ID and clicks Forgot Password.
    • A registered user clicks Forgot Password. After the user answers a challenge question correctly, a validation code is emailed to the user. The user then enters the validation code and a new password to update their password. The validation code is only valid for the login timeout value specified in ResetPasswordGuestCmdImpl.getExpiryPeriod(), which is set in wc-server.xml, and is 30 minutes by default. Otherwise, the validation code expires.
    • An administrator requests a password reset on behalf of a registered user. A validation code is emailed to the user. The registered user must follow the steps provided in the email and enter the validation code, new password, and verify password to change the account password.
  • An administrator requests a password reset on behalf of a registered user. A validation code is emailed to the user. The registered user must follow the steps provided in the email and enter the validation code, new password, and verify password to change the account password.
HCL Commerce Version 9.1.7.0 or laterNote: The command can be configured to email a short, numeric validation code. See Configuring Reset Password to use short validation codes.
To update the Reset Password feature to generate validation codes instead of temporary passwords, update the CMDREG database table.

Procedure

  1. Update the CMDREG database table to enable validation codes.
    update cmdreg 
    set properties='validationCode=true' 
    where interfacename ='com.ibm.commerce.security.commands.ResetPasswordGuestCmd';
    
    update cmdreg set 
    properties ='validationCode=true' 
    where interfacename ='com.ibm.commerce.security.commands.ResetPasswordAdministratorCmd'; 
    
    update cmdreg set 
    properties ='validationCode=true' 
    where interfacename ='com.ibm.commerce.security.commands.ResetPasswordCmd';
  2. Modify store JSP files as necessary.
    For an example of a Validation Code page, see the Aurora starter store Forgot Password, Enter Validation Code, and Change Password pages.
  3. Restart the server or update the CMDREG registry in the Administration Console.