Introduction
Most Web applications have protected sections that only registered user can access. Users must remember the credentials provided for each site to which they subscribe.
When users are no longer able to authenticate themselves because they have lost or forgotten their passwords, it is necessary to provide easy and quick password recovery. Usually, this option is accessible from the login page of the website.
Security
The password recovery procedure must be easy for the user, while also ensuring data security.
When recovering a password, is a good practice to follow some of the following tips to achieve a safe procedure:
- Assign a temporary password to be changed within a short period of time, or require the user to choose a new password. For security reasons, sending an email that provides the unencrypted password is not recommended because this activity is easily intercepted by external attacks.
- Don't store unhashed passwords in the database but, instead, apply an encrypting algorithm.
- Save the log of all recovery attempts.
Proposed the Best Practice
There are different ways to implement a password recovery procedure. The important thing to remember when designing your own procedure is to verify the user identity in a secure way. These are some useful hints:
- Use personal questions about the data stored at the account's registration time as a secondary method of recognizing the user in order to grant the password reset.
- Send a temporary code required to reset the password.
- If you need to send the password by email, use an encrypted email to increase information security.
The best practice, proposed in this article, is a three-step procedure.
In this procedure, the user is initially prompted to enter the email and, as a security step, will be asked to enter a control code to ensure that the access is being requested by a person and not by a machine. In the next step, if the email address is correct, a link containing a security code will be sent to the user's email address, and will allow the user to complete the reset procedure. The security code is valid for a limited time. Until the generated code is expired, the user will be able to enter a new password in a dedicated page.
In this way, passwords are not displayed or handled directly by the application and this ensures protection for the user's identity. Passwords are stored in the database using an encryption algorithm.
The best practice proposed is available in the sample project attached to this article.
Now, let's look at how this was modeled in WebRatio Platform.
The WebRatio Platform Model
This project consists of four pages:
- "Please Login" page - Home.
- "Reset Password" page.
- "Insert New Password" page.
- "Result" page.
Let's discuss each page in detail.
"Please Login" page – Home
This is a sample login page. The user can log into the Web application or start the password recovery procedure by pressing the "Forgot Password?" button. You can model this page as you desire. In this example, this page is using as the access point to the password recovery.
"Reset Password" page
The "Reset Password" page is the first step in the password recovery procedure. Here the user proves his identity by providing his email and ensuring that he is really asking for password recovery and is doing so by entering a control code. The control code is different each time the user accesses the page. The user can choose whether to proceed to the next step by pressing the "Next" button, or to cancel the operation by pressing the "Cancel" button.
The IFML model in WebRatio Platform that produces the page shown in the image above is composed of the "Reset Password" page, including a Message and a Form Components, and a "Check email" action that checks the user identity by calling the referenced Action Definition.
When the user presses the "Next" button, the "Check email" action definition is activated. The following image shows the model of this Action Definition.
The "Check email" action definition receives, as input parameter, the email provided by the user. The first operation checks whether a user with that email exists. First, the Action Definition produces a security code and its expiration date. Then this security code is sent as an email to user, and reaches the "Success" OK Port. In the second case, the Action Definition exits through the "Failure" KO Port.
The security code is a random code that is contained in a link to allow the user to complete the procedure. This is another security check to ensure that if somebody has stolen the email of a Web application user, in order to be able to reset the password, the attacker must also know the credential to email the User's provider. In addition, again for reasons of security, the link created with this security code is only valid for a specific time. In our sample, the expiration date is calculated by the "Dates Function" component downloaded from the WebRatio Add-ons, that takes the current date and sum one day, in this way the secret code remains valid until the day after the date of the reset password request.
The result of the Action, positive or negative, will lead to the following message appearing:
This message is displayed independently of the result of the "Check email" Action (positive or negative). This policy has been implemented in recent times by some website operators, as protection of their accounts.
Here is sample text of the email sent to the user. Of course, you can change the text as desired. Remember to put into the message the link with the security code, otherwise the user will not be able to complete the password recovery procedure.
When the user clicks on the "here" link, the code is sent into the "Check reset code" action. The following image shows the model of this Action Definition.
The "Check reset code" action definition receives, as input parameter, the code provided by the link in the email received by the user. The first operation checks whether the security code provided by the email is associated with a user or not. In the first case, the Action Definition follows with the control of the security code's expiration date and then if it is valid it reaches the "Success" OK Port. In the second case, the Action Definition exits through the "Failure" KO Port.
If the result of the "Check reset code" is positive, it will display the "Insert New Password" page. Otherwise, an error message will be displayed, depending on the type of error detected.
"Insert New Password" page
This page will appear when the user clicks on the "here" link in the "Password Reset" email received.
The "Insert New Password" page is the last page of the password recovery procedure. It asks the user to enter the new password to be used during the login.
The IFML model in WebRatio Platform of the page is composed of the "Insert New Password" page, including a Message and a Form component, and of the "Reset password" action, which stores the new password.
When the user presses the "Confirm" button, the "Reset password" action definition is activated. The following image shows the model of this Action Definition.
The "Reset password" action definition receives, as input parameter, the new password provided by the user and stores it. When the reset is successful, the user is redirected to a page communicating that the operation was successful. In the other case, an error message is displayed to the user.
"Result" page
This page appears when the user enters into a transaction.
- Sent email with instruction to reset the password:
- Confirmed reset password:
- If the security code is expired:
This page is modeled in this way:
How to use the sample project
You can use the "PasswordRecoverySample.zip" sample project attached to this article, to test the proposed password recovery procedure.
Follow these steps to use the project:
- Import the sample project in WebRatio Platform. You can learn how to do this by watching the "Organize the Workspace" online lesson.
- Download the "Dates Function" component, used in the project, from the WebRatio Add-ons.
- Set the properties of the SMPT Server Provider, connected to the Mail Component used in the project. You can refer to this procedure by looking at the "Looping & Branching" online lesson.
- Change in the values of the “email” attribute of the "User" entity inserting an existing email, to test the sending email, in the "Init" action definition.
- At last, modify the link present in the file associated to the Mail Component: Move to the WebRatio Explorer View and expand the "WebContent" folder presents in the project > WEB-INF > template and then open the "reset.mt" file. At line 4, modify the "href" tag that creates the link to the last reset page, depending on the WebRatio version you are using, if you have a WebRatio Community Platform, you will need to replace the string “http://localhost:8080/PasswordRecoverySample” with the location of your application (for example: http://freef5555e-freeapp.eu.webratio.net).
- Now, generate the project and start the Tomcat, with the "Generate and Run on Cloud" command if you have a WebRatio Community Platform version; otherwise, use the "Generate and Run" command.
- Visit http://localhost:8080/PasswordRecoverySample/page1.do or http://freexxxxx-freeapp.eu.webratio.net/ with any browser and follow the procedure.