HCL Commerce Version 9.1.7.0 or later

Configuring Reset Password to use short validation codes

Important: This version of this topic applies to versions HCL Commerce 9.1.7.0 and greater. To configure the generation of validation codes in previous versions, see Configuring Reset Password to use long validation codes.

When a customer requests a password change, you can configure the Reset Password function to email them a short, numeric validation code. Prior to Version 9.1.7.0, the validation code was long, up to 100 characters. You can still use the long-code validation code, however this approach is deprecated and will be discontinued in a future release.

Validation codes are generated and used in the following circumstances:
  • A registered user clicks Forgot Password. After the user answers a challenge question correctly, a six-digit validation code is emailed to the user. The user then enters the validation code and a new password to update their password. The validation code is only valid for the login timeout value specified in ResetPasswordGuestCmdImpl.getExpiryPeriod(), which is set in wc-server.xml, and is 30 minutes by default. Otherwise, the validation code expires.
  • An administrator requests a password reset on behalf of a registered user. A validation code is emailed to the user. The registered user must follow the steps provided in the email and enter the validation code, new password, and verify password to change the account password.
The user receives an error message if they enter a incorrect validation code. The maximum number of attempts to enter a validation code is three. After three failures, the user must generate a new verification code to reset the password.
Note:
  • Users may modify the retryCountThreshold by overriding the ResetPasswordGuestPersistValidationCmdImpl.getValidationCodeRetryCountThreshold method, which allows them to define the maximum on number of attempts of validation code.
  • Users may modify the validationCodeLength and expiryPeriod by overriding methods getValidationCodeLength and getExpiryPeriod of the class ResetPasswordGuestCmdImpl, which allows them to define the length of validation code and expiry time of the validation code respectively.

To update the Reset Password feature to generate numeric validation codes, update the CMDREG database table.

Procedure

  1. Update the CMDREG database table to enable numeric validation codes. 
    update cmdreg
set properties='persistentValidationCode=true'
where interfacename ='com.ibm.commerce.security.commands.ResetPasswordGuestCmd' and storeent_id = storeId;

update cmdreg
set properties='persistentValidationCode=true'
where interfacename ='com.ibm.commerce.security.commands.ResetPasswordCmd' and storeent_id = storeId;

update cmdreg 
set properties='persistentValidationCode=true' 
where interfacename ='com.ibm.commerce.security.commands.ResetPasswordAdministratorCmd' and storeent_id = storeId;
  2. Modify any store JSP files.
    For an example of a Validation Code page, see the Aurora starter store Forgot Password, Enter Validation Code, and Change Password pages.
  3. Restart the server or update the CMDREG registry in the Administration Console to apply the changes.

Results

The validation code security functionality enhancement is enabled. Site users who now use the Reset Password function on the storefront are emailed a numerical validation code, and are required to input it before their session timeout period has elapsed in order to regain access to their account.