Reputation: 449
I had been reading through many pages about resetting password with token.
I understand it up to the point of getting the token from the link, $_GET['token'];
But i am not following after that, what do i do with the token? Do i just check if that exist in the database? Because i read on this link about cross referencing in the reset_password table, but i dont understand what that means. Looking for a some good options to send users reset password emails
Do i just check if the token exist and pick the email that is on the same row? Then i allow the user to reset password using that email?
Upvotes: 0
Views: 126
Reputation: 338
You can ask for the email of the account the user wants to reset the password. You can then verify if the email corresponds to the token, and so send the reset password email.
To avoid security risks, the password-resetting-link(send in the email) could be available only for a couple of hours (8), and the password would be reset ONLY if the user click on it, not before. So nobody can reset your password if he hasn't your token and your email address, and if he has no access to your email account.
Upvotes: 1
Reputation: 399
The idea behind using is a token is security reason.
You usually create your own token using information only visible to you.
Consider a scenario where someone understand that to reset some one's password all he has to do is get to a specific link and add the email to that &email={user_email}
That would make is extremely unsafe.
But if you hash a token with information only you know of, you can do something like:
&email={user_email}&token={token}
And then retrieve the token in your code, check if it fits your specific rules or what not, and only then reset that email password.
Let me give you an example of how to hash it in a way only visible to you and enjoy the benefits of extra safe features.
Lets say you hash it using the email + today's date:
$token = md5($email+date('Y-m-d',time()))
This will make the token valid only for today.
Upvotes: 1