how can user retreive his password if he forget his password ?
any idea or any code you refer.... or tutorials ?
and next question is......
when user registered then one mail send to his email address which he provide during registration... .
and activation link sent to him and when he click on actigviate link then his registration should activate...
please help me...!
IF User Forget His Password ? and Activation Email
Moderator: General Moderators
- Chris Corbyn
- Breakbeat Nuttzer
- Posts: 13098
- Joined: Wed Mar 24, 2004 7:57 am
- Location: Melbourne, Australia
Both questions have been asked many times before.
As for sending a user their password... don't it's bad and very insecure for two reasons:
a) You're sending someone's password by email (insecure) and they may use that same password for all sorts
b) You'd have to be storing plain text, unhashed password to do this
Simply have a "Secret Question" type of setup, along with perhaps questions such as Date of Birth or Place Of Birth... if those are answered correctly then you allow the user to simply reset their password overwriting the original one.
As for the activiation email.... it's pretty simply.
1. User registers --> details stored in database and email is sent
2. Records for user contain a flag that indicates the email hasn't been read and hence the account is inactive
3. URL in email contains the username (or userid) along with a random hash which you alos stored in the DB at initial registration
4. User clicks link
5. Radom hash is checked to ensure it matches the one created at registration and if it matches, the flag that says the user account isn't active is removed.
As for sending a user their password... don't it's bad and very insecure for two reasons:
a) You're sending someone's password by email (insecure) and they may use that same password for all sorts
b) You'd have to be storing plain text, unhashed password to do this
Simply have a "Secret Question" type of setup, along with perhaps questions such as Date of Birth or Place Of Birth... if those are answered correctly then you allow the user to simply reset their password overwriting the original one.
As for the activiation email.... it's pretty simply.
1. User registers --> details stored in database and email is sent
2. Records for user contain a flag that indicates the email hasn't been read and hence the account is inactive
3. URL in email contains the username (or userid) along with a random hash which you alos stored in the DB at initial registration
4. User clicks link
5. Radom hash is checked to ensure it matches the one created at registration and if it matches, the flag that says the user account isn't active is removed.