I'm working on a java servlet application on reset password function. The get method basically check a parameter email and check if the email valid. Then set the email as an attribute in the session. After that forward the request to the Jsp.
public void doGet(HttpServletRequest request, HttpServletResponse response) throws IOException, ServletException { String email = request.getParameter("email"); if (isUserValid(email)) { request.getSession().setAttribute("email", email); } else { request.getSession().setAttribute("error", "Invalid token or " +"token expired"); } request.getRequestDispatcher("jsp/reset-password.jsp").forward(request, response);}Within the Jsp, I only display the form if the email exist in the session.
<c:if test="${not empty sessionScope.email}"><!-- Reset Password Form --><form action="reset-password" method="post"><!-- Password Field --><p class="email-info"> ${sessionScope.email}</p><div class="mb-3"><label for="password" class="form-label">New Password</label><div class="input-group"><input type="password" class="form-control" id="password" name="password" placeholder="Enter new password" required/><span class="input-group-text" onclick="togglePassword('password', 'eye-icon1')"><i id="eye-icon1" class="fa fa-eye"></i></span></div><!-- Confirm Password Field --><div class="mb-3"><label for="confirmPassword" class="form-label">Confirm Password</label><div class="input-group"><input type="password" class="form-control" id="confirmPassword" name="confirmPassword" placeholder="Confirm new password" required/><span class="input-group-text"><i id="eye-icon2" class="fa fa-eye"></i></span></div></div><!-- Submit Button --><button type="submit" class="btn btn-primary w-100">Reset Password</button></div></form></c:if><c:if test="${not empty sessionScope.error}"><p class="text-center error-message">${sessionScope.error}</p><c:remove var="error" scope="session"/></c:if><c:if test="${not empty sessionScope.success}"><p class="text-center success-message">${sessionScope.error}</p><c:remove var="success" scope="session"/></c:if>The form is then sent to this post method where I check if the email valid again, along with the new password. After that I update the user.
public void doPost(HttpServletRequest request, HttpServletResponse response) throws IOException, ServletException { String email = (String) request.getSession().getAttribute("email"); if (email == null || !isUserValid(email)) { request.getSession().setAttribute("error", "Invalid token or " +"token expired"); response.sendRedirect("reset-password?email=" + email); return; } String password = request.getParameter("password"); String confirmPassword = request.getParameter("confirmPassword"); if (!password.equals(confirmPassword)) { request.getSession().setAttribute("error", "Passwords do not " +"match"); response.sendRedirect("reset-password?email=" + email); return; } User user = userDAO.findUserByEmail(email); if (user == null) { request.getSession().setAttribute("error", "User not found"); response.sendRedirect("reset-password?email=" + email); return; } user.setPassword(password); userDAO.updateUser(user); request.getSession().setAttribute("success", "Password reset " +"successfully"); request.getSession().removeAttribute("email"); response.sendRedirect("reset-password?email=" + email);}When I test in local. Everything works fine until I submit the form. The request is sent to the post method but there is no email attribute in the session. I confirmed it with debugging tools. I have not invalidate the session nor remove the attribute at all. It would be nice if anyone could analyze the code and help me with this.