Configuring Reset Password to use short validation codes
Important: This version of this topic applies to versions
HCL Commerce 9.1.7.0 and greater. To configure the generation of validation codes
in previous versions, see Configuring Reset Password to use long validation codes.
When a customer requests a password change, you can configure the Reset Password function to email them a short, numeric validation code. Prior to Version 9.1.7.0, the validation code was long, up to 100 characters. You can still use the long-code validation code, however this approach is deprecated and will be discontinued in a future release.
Validation codes are generated and used in the following circumstances:
- A registered user clicks Forgot Password. After the user answers a challenge question correctly, a six-digit validation code is emailed to the user. The user then enters the validation code and a new password to update their password. The validation code is only valid for the login timeout value specified in ResetPasswordGuestCmdImpl.getExpiryPeriod(), which is set in wc-server.xml, and is 30 minutes by default. Otherwise, the validation code expires.
- An administrator requests a password reset on behalf of a registered user. A validation code is emailed to the user. The registered user must follow the steps provided in the email and enter the validation code, new password, and verify password to change the account password.
Note:
- Users may modify the retryCountThreshold, which has a default value
of
3
, by overriding theResetPasswordGuest*ValidatePersistentCode*CmdImpl.getValidationCodeRetryCountThreshold
method, which allows them to define the maximum on number of attempts of validation code. - Users may modify the validationCodeLength, which has a default
value of 6, and expiryPeriod, whose default value is equal to the cookie timeout value, by
overriding methods
getValidationCodeLength
andgetExpiryPeriod
of the class ResetPasswordGuestCmdImpl. This allows you to define the length of validation code, and expiry time of the validation code, respectively.
To update the Reset Password feature to generate numeric validation codes, update the CMDREG database table.
Procedure
-
Update the
CMDREG
database table to enable numeric validation codes.update cmdreg set properties='persistentValidationCode=true' where interfacename ='com.ibm.commerce.security.commands.ResetPasswordGuestCmd' and storeent_id = storeId; update cmdreg set properties='persistentValidationCode=true' where interfacename ='com.ibm.commerce.security.commands.ResetPasswordCmd' and storeent_id = storeId; update cmdreg set properties='persistentValidationCode=true' where interfacename ='com.ibm.commerce.security.commands.ResetPasswordAdministratorCmd' and storeent_id = storeId;
-
Modify any store JSP files.
For an example of a Validation Code page, see the Aurora starter store Forgot Password, Enter Validation Code, and Change Password pages.
- Restart the server or update the CMDREG registry in the Administration Console to apply the changes.