Hey everyone, I'm making a login system (in an attempt to advance my PHP knowledge). I've successfully made a system which registers the user (and uses md5 on their password), and also a login page which queries the database on the login info they supply (with the supplied password also being run through md5 so it matches the database).
My problem is this: What if someone forgets their password? md5 is (from what I've read) irreversible so my only option would be to reset the password right? If so then is this a logical step by step process?
1) Generate a random code and store it to that users record (meaning I'll need another field called deletion_code or something right?)
2) Email them the code
3) They'll go to a deletion confirmation page where they paste the code and their new password, and submit.
4) The password will be md5'd and updated. The deletion_code field of that users record will be blanked.
Any feedback would be much appreciated. I also have one other problem. Currently the unique ID of the members table is ID but should I change that to email? It seems more relevant, or can I have two primary keys?
Also if someone attempts to register an email already in the database, what is the error that comes back and how can I catch it? (for example in file uploads if the file size is too big, the 'error' attribute comes back with a value of 2).
Thanks for any help at all guys,