I have generated a eight digit random OTP and sent it to mail using servlet. I want to validate the OTP at the next page without storing it anywhere like database and session. How can I do this?
>Solution :
This technique is done using the following steps:
- Create a cryptographic hash (HMAC) of the phone number, the generated OTP and the expiry timestamp combined.
- Append the expiry timestamp with the hash and Send the hash to the
user as the response of the first request. - Once the user gets the SMS, the user sends back the hash, the phone number and the OTP in the second request.
- The server verifies the OTP by hashing the phone number, OTP sent by the
user, and the expiry timestamp that was appended with the hash, the user sent back. Using the same key and same algorithm. - If the expiry timestamp is valid and still in the future. And the
newly generated hash matches the one sent by the user. Then the OTP
is authentic.