0

Hi,

I've already created registration and login scripts for my application, however i now want to include an option for registered users to reset their password if they have forgotten it and cannot log in.

As currently, passwords stored in my database are encrypted, they cannot just be emailed to the member as they would be encrypted again on login.

As a result, what i want is for the member who cannot log in to enter their email address, an email be sent to that email address containing a link that redirects the member back to the site displaying a form allowing them to reset their password.

I have never developed any code in php related to email and i am not sure how i would construct the redirect link to allow only that member to reset their password. I have looked at snippets of code for ideas but they aren't clear about the redirects.

Any help would be much appreciated!
Thanks.

4
Contributors
9
Replies
14
Views
5 Years
Discussion Span
Last Post by BenzZz
1

Why don't you set a random password and send that to the user via email? That way the user will change it after he logs to his own profile.

0

I could do that. Just trying to explore the most secure options available.

1

In addition to cereal's answer, if you send a new random password, you may want to expire it quickly to prevent the user forgetting to change it, and others hijacking it.

0

In addition to cereal's answer, if you send a new random password, you may want to expire it quickly to prevent the user forgetting to change it, and others hijacking it.

So i'm guessing i make a new random password, update the members password to this random password in the database, email it to them which allows them to log in and change their password to something they want.

How would i go about expiring that password?
I'm guessing sessions but i'm not sure how to do it.

2

You can add an expiry timestamp in your table. If it is filled with a date, then you must check it. After resetting you can set it to NULL.

0

Ah right, so to set it for a day later would it be like CURDATE()+1?
And then a condition to say if the current data/time >= timestamp, set it to null, and maybe update their password to another random one so that they have to request an email again?

0

Okay, thanks for all of the help, i understand this area a lot better now.

This topic has been dead for over six months. Start a new discussion instead.
Have something to contribute to this discussion? Please be thoughtful, detailed and courteous, and be sure to adhere to our posting rules.