When my users forget their passwords, they are sent to the page shown below. I generate a random password in JavaScript, encrypt it, and send both the plain text and md5 hash to a Servlet. The Servlet then e-mails the password to the user and stores the md5 hash in my database. This process works fine most of the time. But for some reason frequently generates an error where the generated password has length 0.
I tested my JavaScript code separately and had it generate hundreds of passwords. None had length 0. So where is this error coming from?
Here is the HTML form:
//This method returns a randomly generated mathy password.
function randomPassword(theForm) {
first = ["Euler", "Erdos", "Newton", "Eucl1d", "Gauss", "H1lb3rt", "Cantor", "Bernoulli", "PascaL"];
second = ["Const", "Number", "Theorem", "Prime", "Ratio", "Lemma", "Postulate", "Method", "Algorithm"];
symbol = ["!","@","#","$","%","^","&","*","_","+","-","?"];
a = Math.floor(Math.random() * first.length);
b = Math.floor(Math.random() * second.length);
n = Math.floor(Math.random() * 10);
style = Math.floor(Math.random() * 3); //0,1, or 2
if(style==0) password = first[a] + n + second[b];
else if(style==1) password = first[a] + second[b] + n;
else password = first[a] + second[b] + symbol[n];
theForm['newPass'].value = password;
theForm['passwordLog'].value = "style="+style + " a=" + a + ", b=" + b+ ", n=" + n;
hashField = theForm['passHash'];
hashField.value = hex_md5(password);
theForm.submit();
}
<body>
<h2>You can reset your password below.</h2>
<form action="ResetPassword" method="post" >
Enter your e-mail address:
<input type="text" name="eMail" id="eMail" size="20"/> <br />
<input type="button" value="Reset Password" onclick="randomPassword(this.form);" />
<input type="hidden" id="passHash" name="passHash" />
<input type="hidden" id="newPass" name="newPass" />
<input type="hidden" id="passwordLog" name="passwordLog" />
</form><br/>
<strong>Attention Coaches: If you are having trouble logging into this system,
please contact the scorekeeper: llaspina@bethpage.ws </strong>
</body>
And here is the Servlet that receives the form data sent from the above file:
@WebServlet(name = "ResetPasswordServlet", urlPatterns = {"/ResetPassword"})
public class ResetPasswordServlet extends HttpServlet {
protected void processRequest(HttpServletRequest request, HttpServletResponse response)
throws ServletException, IOException {
response.setContentType("text/html;charset=UTF-8");
PrintWriter out = response.getWriter();
ConnectionPool pool = ConnectionPool.getInstance();
java.sql.Connection con = pool.getConnection();
String emailAddress = request.getParameter("eMail");
String newPass = request.getParameter("newPass");
String passHash = request.getParameter("passHash");
String log = request.getParameter("passwordLog");
try {
Coach coach = null;
ArrayList<Coach> coachList = MathTeamDAO.getAllCoaches(con);
for(Coach c : coachList) {
if(c.email.equals(emailAddress) ) {
coach = c;
break;
}
}
out.println("<html><head><title>Scorekeeper Reset Password Servlet</title></head>");
out.println("<body>");
out.println("<h1>Reset Password Servlet</h1>");
if(coach==null) {
out.println("Your email address was not found in our database.<br/>" +
"Please contact the scorekeeper or the secretary to gain access to the sytem.");
}
else {
if(newPass == null || newPass.length()<3) {
out.print("An error occurred while generating a random password. The randomly generated password came back as ");
out.print(newPass);
out.println(" Please try to <a href=\"resetPassword.html\">reset your password</a> again.");
String errorMsg = "An error was encountered while attempting a password reset. ";
if(newPass==null)
errorMsg += "null newPass generated.";
else
errorMsg += " The newPass had length " + newPass.length() + " and =" + newPass;
if(log!=null)
errorMsg += ("\n" + log);
if(UtilityServlet.emailAnError(coach,errorMsg, this.getServletName() + " at " + this.getServletName()))
out.println("<br/>The scorekeeper was just informed of this error through email, so you do not need to report it.");
}
else {
out.println("<h3>Check your email for your new password and directions for signing into the scorekeeper system.</h3>");
out.print("Sending new password to " + coach.email + "<br/>");
ChangePasswordServlet.changePassword(con, coach.schoolID, passHash);
School herSchool = MathTeamDAO.getSchoolByCoach(con, coach);
String emailServerMessage = ChangePasswordServlet.sendPasswordEmail(coach, herSchool.shortName, newPass);
if(herSchool!=null) {
out.print("<br/>The username for " + herSchool.fullName);
out.print(" is <strong>");
out.print(herSchool.username);
out.println("</strong><br/>");
}
out.print(emailServerMessage);
}
out.flush();
}
out.println("<br/>Return to <a href=\"login.jsp\" >login page.</a>");
out.println("</body></html>");
}
catch(java.sql.SQLException utoh) { }
finally {
pool.freeConnection(con);
out.close();
}
}
Notice that I am having error messages sent to myself if the password is null or too short. This happens fairly regularly and they always have length 0. Why?