I am sending link to email address for password reset functionality and after sometime i want this link to expire. for that i have created a token(which is encrytped using a key) and expire-date and i want to put these as query in my email link but i don't know to do it. this is how i use token class in forgotPassword Post method.
var tokenModel = new LinkExpire();
tokenModel.ExpiresOn = DateTime.Now.AddSeconds(10);
tokenModel.CreateToken = TokenHelperMethods.GetToken(tokenModel);
this is my link code.
string resetCode = Guid.NewGuid().ToString();
var varifyUrl = "/E_HealthCare_Web/Account/ResetPassword/" resetCode;
var link = Request.Url.AbsoluteUri.Replace(Request.Url.PathAndQuery, varifyUrl);
and in my email body i am sending link like this
"<br/> <br/> <a href = '" link "&expire=" tokenModel.ExpiresOn "&token=" tokenModel.CreateToken "'>Reset link</a> <br/><br/>"
which does not to work as expected. anyone can help me achieve this, also i am not using core, only mvc5.
Edit this is my controller where i am recieving link values
public ActionResult ResetPassword(string id, DateTime expire, string token)
while clicking on link gives A potentially dangerous Request.Path value was detected from the client (&) error.
CodePudding user response:
Here is my suggestion, instead of adding expiration token query parameters with URL manage this at your method action level i.e.
You already have the information that which login is going to this URL. All you have to do is that before sending this URL via email, make a separate temp table that will have user ID, reset password URL path, created date/time column (this column will mange the data/time when you send the URL to the user for password reset) and active/Iactive status column.
Now at code level when this particular URL is hit by user, first get the active row only entry against this URL & user ID and get the created date/time column value.
Check the difference between the active created date/time column and current date/time.
if difference between two dates is more than 24hr send expiration response otherwise change the password.
Mark that entry as inactive.
Know that against each user the active entry in this new table exist only when user request's password reset, otherwise all existing entries are marked as inactive.
You can delete instead of active/inactive as well. this is temp table.