forgot my password feature

Discussions of secure PHP coding. Security in software is important, so don't be afraid to ask. And when answering: be anal. Nitpick. No security vulnerability is too small.

Moderator: General Moderators

Post Reply
murlopaz
Forum Commoner
Posts: 60
Joined: Wed Oct 11, 2006 5:02 pm
Location: Baltimore, MD, USA

forgot my password feature

Post by murlopaz »

I want to implement a "forgot my password" feature, but I am not sure how to do that...

Well I am going to ask the user his/her email and the secret answer.
Then if they match with the data in the database I will send an email with a link that should change his/her password

This is where I am lost. How do I implement this last step?
User avatar
Zoxive
Forum Regular
Posts: 974
Joined: Fri Apr 01, 2005 4:37 pm
Location: Bay City, Michigan

Post by Zoxive »

Code: Select all

mail();
But more recently everyone has been using Swift Mail...

-NSF
murlopaz
Forum Commoner
Posts: 60
Joined: Wed Oct 11, 2006 5:02 pm
Location: Baltimore, MD, USA

Post by murlopaz »

that wasn't my question...
I have to direct the user to a webpage where he/she can change the password
klarinetking
Forum Commoner
Posts: 59
Joined: Mon Jul 24, 2006 9:43 am

Post by klarinetking »

Hi,

The best way I have found to do this is:

1) User requests to change their password
2) User Record is changed to inactive, and a key is generated and posted to the DB, and sent to the user.
3) User follows link (which includes key in GET) in e-mail, and has to input their username and secret answer.
4) If everything matches, provide a form to change the password. Change user record to active with the new pw.

Hope this helps :)

klarinetking
Dave2000
Forum Contributor
Posts: 126
Joined: Wed Jun 21, 2006 1:48 pm

Post by Dave2000 »

klarinetking wrote:2) User Record is changed to inactive, and a key is generated and posted to the DB, and sent to the user.
There is no need to make the account inactive because: Evil user comes along. Requests to change someone's password on an account that isn't his - oh look that account is now inactive. 8O This could be a problem within some applications if people could just make whoever they please inactive :lol:

Shears
User avatar
Luke
The Ninja Space Mod
Posts: 6424
Joined: Fri Aug 05, 2005 1:53 pm
Location: Paradise, CA

Post by Luke »

haha stupid spammer... that was halarious... what a great solution to your problem! :lol: :lol:
Post Reply