From ce75a6d10db55192ad8524b95d2e85c527e83356 Mon Sep 17 00:00:00 2001
From: ja <ja@verag.ag>
Date: Wed, 13 Oct 2021 09:38:13 +0200
Subject: [PATCH] Verbesserung derSicherheit der Tokenabfrage bzw dessen
 Generierung

---
 login/ChangePW.aspx.vb | 18 +++++++++++-------
 login/ForgotPW.aspx.vb |  1 +
 2 files changed, 12 insertions(+), 7 deletions(-)

diff --git a/login/ChangePW.aspx.vb b/login/ChangePW.aspx.vb
index 95560ad..c0035ec 100644
--- a/login/ChangePW.aspx.vb
+++ b/login/ChangePW.aspx.vb
@@ -5,16 +5,20 @@ Partial Class login_ChangePW
     Protected Sub Page_Load(sender As Object, e As EventArgs)
         Dim url = Request.ServerVariables("URL")
         Session.Add("urltochangepw", url)
+        If VERAG_PROG_ALLGEMEIN.cCryptography.Decrypt(Session.Item("TokenforEmail").ToString()) = VERAG_PROG_ALLGEMEIN.cCryptography.Decrypt(Request.QueryString("Par1")) Or VERAG_PROG_ALLGEMEIN.cCryptography.Decrypt(Session.Item("TokenforEmail").ToString()) = Not Nothing Then
+            If getDateoftoken(VERAG_PROG_ALLGEMEIN.cCryptography.Decrypt(Request.QueryString("Par1"))) = True Then
+                txt_Pw_WH.Enabled = False
+                regexval_txt_Pw_WH.Enabled = False
+                If IsPostBack Then
+                    reqPasswtxt.Validate()
+                    reqPassw1txt.Validate()
+                End If
+            Else
+                btn_submitpw.Enabled = False
 
-        If getDateoftoken(VERAG_PROG_ALLGEMEIN.cCryptography.Decrypt(Request.QueryString("Par1"))) = True Then
-            txt_Pw_WH.Enabled = False
-            regexval_txt_Pw_WH.Enabled = False
-            If IsPostBack Then
-                reqPasswtxt.Validate()
-                reqPassw1txt.Validate()
             End If
         Else
-            btn_submitpw.Enabled = False
+            MsgBox("Link ist abgelaufen. Bitte neue E-Mail senden.", MsgBoxStyle.Critical, "Error06")
         End If
     End Sub
 
diff --git a/login/ForgotPW.aspx.vb b/login/ForgotPW.aspx.vb
index 58aa397..6b6a9b5 100644
--- a/login/ForgotPW.aspx.vb
+++ b/login/ForgotPW.aspx.vb
@@ -65,6 +65,7 @@ Partial Class login_ForgotPW
             con.Close()
         End Using
         tokenname = genToken(username, password, email)
+        Session.Add("TokenforEmail", tokenname)
         If SendEmail(username, password, email, tokenname) = True Then
             'password = RandomString(New Random, 10)
             If (getDateoftoken(tokenname) = True) Then