Reputation: 9054
Sending an password reset email using PHP
If I send an email to a user's email address with a link to a password reset page, how do I authenticate the link? Should I store some randomly generated key in my database, and then add then to the link string? www.mydomain.com/passwordreset.html?key=abcd1234zz235 Then check this key against the stored key in the database?
If this is indeed the right approach, should I create some separate table to store these keys with their corresponding email? And if the answer to that is yes, then should I delete these keys after the user has reset their password to save space in my database?
Thank you in advance!
Upvotes: 0
Views: 2066
Answers (4)
Reputation: 197757
should I create some separate table to store these keys with their corresponding email?
Yes, I would do that.
And if the answer to that is yes, then should I delete these keys after the user has reset their password to save space in my database?
Not because of space but because the transaction has been finished.
You can not save space here btw. because you should keep a log entry of the password change event in the audit log.
Upvotes: 1
Reputation: 6051
Take a look at this link, which might help you. Basically you have to create a table for password reset requests and generate a key which will identify the user, and the reset request itself.
Upvotes: 0
Reputation: 324630
Yes, that would work. Personally I like to have the key be an encoded string based on their user data that I can then decode. For instance, I might take the string userid|password_hash|emailaddress, encode it and send it. Then, when receiving it, I can decode it and split the parts out. The User ID is used to search the database, and then the password_hash and email are verified and if it all checks out then I can continue.
That said, your solution is probably better because it means you know whether or not the reset was actually requested. Ultimately all that matters is that it's made hard to just guess.
Upvotes: 0
Reputation: 14233
That is a pretty typical way of handling it. I usually will add a PasswordResetKey field to my user table.
Upvotes: 1
Related Questions
- How to Email user new link to create a password
- Looking for a some good options to send users reset password emails
- Password recovery not sending email
- php send user password via email
- Secure password reset without sending an e-mail
- Create and send email to customer reset password link programmatically in magento
- Resetting passwords: What is an elegant solution?
- Sending forgot password emails
- How to send an email with password details in php?
- Resetting passwords without emailing the user