Hi,

I've already created registration and login scripts for my application, however i now want to include an option for registered users to reset their password if they have forgotten it and cannot log in.

As currently, passwords stored in my database are encrypted, they cannot just be emailed to the member as they would be encrypted again on login.

As a result, what i want is for the member who cannot log in to enter their email address, an email be sent to that email address containing a link that redirects the member back to the site displaying a form allowing them to reset their password.

I have never developed any code in php related to email and i am not sure how i would construct the redirect link to allow only that member to reset their password. I have looked at snippets of code for ideas but they aren't clear about the redirects.

Any help would be much appreciated!
Thanks.

Why don't you set a random password and send that to the user via email? That way the user will change it after he logs to his own profile.

I could do that. Just trying to explore the most secure options available.

In addition to cereal's answer, if you send a new random password, you may want to expire it quickly to prevent the user forgetting to change it, and others hijacking it.

Try by send a reset password link to the user by email...

In addition to cereal's answer, if you send a new random password, you may want to expire it quickly to prevent the user forgetting to change it, and others hijacking it.

So i'm guessing i make a new random password, update the members password to this random password in the database, email it to them which allows them to log in and change their password to something they want.

How would i go about expiring that password?
I'm guessing sessions but i'm not sure how to do it.

You can add an expiry timestamp in your table. If it is filled with a date, then you must check it. After resetting you can set it to NULL.

Ah right, so to set it for a day later would it be like CURDATE()+1?
And then a condition to say if the current data/time >= timestamp, set it to null, and maybe update their password to another random one so that they have to request an email again?

Exactly. Am sure you can get what you want.

Okay, thanks for all of the help, i understand this area a lot better now.

Be a part of the DaniWeb community

We're a friendly, industry-focused community of developers, IT pros, digital marketers, and technology enthusiasts meeting, networking, learning, and sharing knowledge.