Verbesserung derSicherheit der Tokenabfrage bzw dessen Generierung

login/ChangePW.aspx.vb

@@ -5,16 +5,20 @@ Partial Class login_ChangePW
     Protected Sub Page_Load(sender As Object, e As EventArgs)
         Dim url = Request.ServerVariables("URL")
         Session.Add("urltochangepw", url)
+        If VERAG_PROG_ALLGEMEIN.cCryptography.Decrypt(Session.Item("TokenforEmail").ToString()) = VERAG_PROG_ALLGEMEIN.cCryptography.Decrypt(Request.QueryString("Par1")) Or VERAG_PROG_ALLGEMEIN.cCryptography.Decrypt(Session.Item("TokenforEmail").ToString()) = Not Nothing Then
+            If getDateoftoken(VERAG_PROG_ALLGEMEIN.cCryptography.Decrypt(Request.QueryString("Par1"))) = True Then
+                txt_Pw_WH.Enabled = False
+                regexval_txt_Pw_WH.Enabled = False
+                If IsPostBack Then
+                    reqPasswtxt.Validate()
+                    reqPassw1txt.Validate()
+                End If
+            Else
+                btn_submitpw.Enabled = False
 
-        If getDateoftoken(VERAG_PROG_ALLGEMEIN.cCryptography.Decrypt(Request.QueryString("Par1"))) = True Then
-            txt_Pw_WH.Enabled = False
-            regexval_txt_Pw_WH.Enabled = False
-            If IsPostBack Then
-                reqPasswtxt.Validate()
-                reqPassw1txt.Validate()
             End If
         Else
-            btn_submitpw.Enabled = False
+            MsgBox("Link ist abgelaufen. Bitte neue E-Mail senden.", MsgBoxStyle.Critical, "Error06")
         End If
     End Sub
 

login/ForgotPW.aspx.vb

@@ -65,6 +65,7 @@ Partial Class login_ForgotPW
             con.Close()
         End Using
         tokenname = genToken(username, password, email)
+        Session.Add("TokenforEmail", tokenname)
         If SendEmail(username, password, email, tokenname) = True Then
             'password = RandomString(New Random, 10)
             If (getDateoftoken(tokenname) = True) Then