Olar Andrei:
-- You said - "If a letter is removed from the hashed token standing in the URL, and then just hit ENTER, the exact page reloads ( with the prompt for new password and retype new password )."
In my view your application works as expected; I do not see a problem.
If you rather prefer the application not to load the UI then validate the hash and display the UI only if it validates otherwise don't. This logic will be additional to what you already have.
In my case I'm doing that. When user clicks on the link below I verify the hash is valid and not expired. If yes, I show the change password dialog otherwise I simply show the application in its original mode (authenticated or unauthenticated).
http://127.0.0.1:8888/?resetToken=a3Tp9NNZ9vMHm3UlPdpTe3orsBRMs1xQXETStFxU7LpblbWdzDITZ0KcmLt06qpBENNTW0c2vplqF2Tadkb9Ki3yYlNAH1EIQ1Horc1BbZxIDrerywo0RUwwekHysNGYC0YN3LcvupXejD9kzjAtVrPLuDTKgQdg6s6dnfB1ouBQij1UNfpgttSZ5evLq7ALEKn8BMKFGd2kk2uTklVs6wqw27RDcDDZv&email=...@anymail.com&action=resetPassword
On Monday, June 6, 2016 at 10:37:01 AM UTC-4, Olar Andrei wrote:
On Monday, June 6, 2016 at 10:37:01 AM UTC-4, Olar Andrei wrote:
Velusamy Velu:I'm alredy know that link. I implemented my password reset based on your workflow.But there again is the same Problem (for me actually, perhaps due to my implementation). If a letter is removed from the hashed token standing in the URL, and then just hit ENTER, the exact page reloads ( with the prompt for new password and retype new password ). In that case when submitting, nothing happens, because the token does not match the Token already stored in the DB, but like I said before, the page reloads, displaying the GUI, and it shoudn't do that.
luni, 6 iunie 2016, 14:47:47 UTC+3, Olar Andrei a scris:Hello,For now my aplication (MVP) has a login page, and 2 other palces, the AdminPlace and the UserPlace.My URL looks like this:The login form consists of username and password, where the username is passed as a token to the next Place.A user can't connect if he does not know the password, but let's say I'm logged in like in the link above. If I change the Admin to Admin2 or whatever, I still can see the page content. I don't want this. How can I avoid this ?Thanks in advance
You received this message because you are subscribed to the Google Groups "GWT Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to google-web-toolkit+unsubscribe@googlegroups.com.
To post to this group, send email to google-web-toolkit@googlegroups.com.
Visit this group at https://groups.google.com/group/google-web-toolkit.
For more options, visit https://groups.google.com/d/optout.
No comments:
Post a Comment