Hi!

Part of my website development is being able to recover a password

and upon reading the owasp page i found out that the best one is having a temp password and an expiration

my customers table doesnt have a date column nor temp pw column

do I have to add this columns to my existing table?

is there a better way of doing this?

or is there a really simple script that will help me accomplish this goal?

can you show me an example maybe.

thanks!

Recommended Answers

All 4 Replies

Hi,

You can add two columns in your customer's table. One is for temp_password, and second is for the temp_passAge. We can then use time as comparator for the time elapsed since the temp password was created.

Example:

## assign server time to ctime
$ctime = time();
## you may want to add your query here like
$username = $_POST['username'];
$temp_password = $_POST['temp_pass'];

## then the actual query
$query = "SELECT * FROM 'customer' WHERE 'temp_password' = '".$temp_password."' ";

## grab the result here in loop

while( $row = whatever here ){
## take the values

$password_age = $row['temp_passAge'];

## subtract current time from the password age 
$time_e = $ctime - $password_age;

## set your expiration in seconds
$pass_expire = 2400; ## this is in seconds

## set your conditions for whatever
if($time_e >= $pass_expire){

## the password expired

echo "Your Password Expired";

## provide link to whatever page needs to handle this event.
}

else{

echo "Your Password is good";

## show form to update password

## do database update on the user's password

}
}

I prefer doing this on this part of the code

else{
 
echo "Your Password is good";
 
## show form to update password
 
## do database update on the user's password
$password_ok = true;
}

Then just build your response and processes based on the true or false. So, that you don't have to put too many stuffs inside the while loop..

Temp password is a bad idea. Send user a unique link and provide him with a form to setup a new password.

In My website
1)i have a form asking the user to type the username and email id.
2)The database will verify the details
3)If the details are correct my php will generate and store current timestamp and a reset code(random code) in two separate columns without disturbing the password field.
4)The same php script will also send the email to user as Ex: http://www.xyz123.com/reset.php?resetcode=ftyudoidjkdh

5)The User will Click the Link and will reset the password..

Here is the key: When the user clicks the link "reset.php" will look for the current timestamp(the time stamp which the "reset.php" has) and compare it with the time stamp stored in database...You can set the elapse time to any number of hours(in the php) for the code to expire...

<<If u want I can explain u with the code in my website>>

I figured it out and followed the previous post soluion

Be a part of the DaniWeb community

We're a friendly, industry-focused community of developers, IT pros, digital marketers, and technology enthusiasts meeting, networking, learning, and sharing knowledge.