email random link for updating forgotten password..

PHP programming forum. Ask questions or help people concerning PHP code. Don't understand a function? Need help implementing a class? Don't understand a class? Here is where to ask. Remember to do your homework!

Moderator: General Moderators

Post Reply
User avatar
pavanpuligandla
Forum Contributor
Posts: 130
Joined: Thu Feb 07, 2008 8:25 am
Location: Hyderabad, India

email random link for updating forgotten password..

Post by pavanpuligandla »

hii all..
i'm developing a secured system for resetting a forgotten password,
in my first step, user has to enter his userID which will be validated with the DB and if it exists then he will be moved to the second step where he'll be asked more details and if they were also matched,.
in the third step i need to send a dynamic URL to userID's email where by clicking that link, user will be shown a password update page..
can anyone please suggest me how to do this? i succeeded the above 2 steps..
i'm confused with the third step..
and DB contails 2 tables holding customer's data
any help please.. as i need to deliver this by 2morrow..
the feature simply resembles http://www.ebay.in site's rest forgotten password feature.
are there any php scripts available?
User avatar
Apollo
Forum Regular
Posts: 794
Joined: Wed Apr 30, 2008 2:34 am

Re: email random link for updating forgotten password..

Post by Apollo »

1. Generate some random unique id with

Code: Select all

$id = sha1(uniqid(mt_rand(),true));
2. Store this ID in your database in a separate field, e.g. give each user a 'password_reset_id' field or something (which is null by default) and store the generated ID there

3. Send a link to the user containing the random ID (and his user ID)

4. When a user visits the link, check if the given random ID matches with the ID stored in your database (and also if the stored ID isn't empty, cause then no reset was requested and someone is trying to cheat or mess up someone else's password)

5. If it matches, give him a new password and clear the ID in the database


PS. Wouldn't it be easier if you just generate a new password on the spot whenever a user requests so, and just email the new password directly?
Post Reply