Reputation: 5098
Send email to user for password reset
The flow is:
- user enters email address
- after submit, an email is sent to the user
- The email will include a link that will take the user to a reset password page.
Now, how do I fetch user's ID based on the email address and encrypt it? Then what should link be? Like, what I want is fetch the User ID then encrypt it somehow so that the link doesn't contain the actual ID and that link will take the user to a page that will have textboxes to reset the password. I am just confused how to go about it.
Also is this the secure way? To reset a password like this?
Upvotes: 3
Views: 7250
Answers (3)
Reputation: 12903
There is a railscast on exactly this subject: http://railscasts.com/episodes/274-remember-me-reset-password?view=asciicast
Upvotes: 0
Reputation: 7803
I usually create a new table in the database:
PasswordresetRequest with the following fields:
- Id: Guid - Id of password reset request.
- Accountid: string - username of user
- Created: DataTime - timestamp of when password reset were created
Flow is as follows:
- User request password reset at web site.
- A new record is created in the PasswordresetRequest table.
- An email with a link to the password reset page with the password request id as request parameter is sent to the user.
- User click on link in email which send him to password reset page.
- Password request if fetched from database from request parameter. If request could be found or and request is not older than e.g. 12 hours a form is presented to user where he can enter a new password.
This is pretty simple to implement and is secure enough for most sites.
Upvotes: 15
Reputation: 5291
There is any number of ways to go about doing this. If your major concern is security, one way could be to send a link that contains a guid parameter which you create and store on your end (in a db table, file or whatever suits you) together with the user id associated with it. When the request for password reset comes in, you check for the guid and look if there is one matching value in your db/file/whatever and proceed with the password reset. Don't forget to delete the guid from your storage to prevent multiple use of the same link.
Upvotes: 1
Related Questions
- Reset Password and send email
- MVC ForgotPassword method not sending reset email
- How to get Email from coming code for Reset Password
- Send Emails from localhost when resetting password and more (ASP.NET MVC 5)
- Send Forget Password using E Mail in Asp.Net
- Calling a method for password reset email notification?
- Reset Password e- mail... recent email should work , not previous
- reset user password
- reset user password using only email
- Sending email to a user