Create a time limited page in php

Question

I'm trying to implement a password forgot page in my website. I just would like to know if my idea is correct. User enter his email address, i save on a database his IP, timestamp, and an id for a "random password change" page. I create this "random password change" page with fopen();. Once user clicks on the email link i check if page should be expired ( ex 30min ) if it's expired i redirect to user to a "sorry too late" page where i delete the "random password change page" with unlink(), if it's not expired i let user change his password, redirect it to "password changed" page and from there i remove the "random password change" page with unlink(). Side effect of this... if user doesn't click on the email link my random page will never be deleted.

What do you think of this ? Is that a good practice ?

UPDATE

Hi everybody ! Thanks all of you for your help ! Everything seems to run smooth now :)

Answer 1

Please don't save a file to your server!

You should store the user's id, the timestamp and a token in the table of password requests. Additional you send the user a mail with a link including the token as a get parameter

(e.g. www.domain.com/forgottenpassword.php?token=CK32A8).

This requested page should offer a form to enter new password. Getting a request from this page the server check both the token (must me the same) and the time (actual < saved + delay) using the database informations.

Token Generation

Don't use a hash of username and timestamp. This way, an alien could create a token by himself. Of course it is unlikely, it always is. :-) So use a random string and hash it or combine a random string with user informations if you want.

Answer 2

No, it is no good idea to actually create a page in the file system. You have your database to store the information.

You save the email address (or any other identifier of the user – I would not suggest to use the IP), timestamp and secret key (you called it id) to the database. Then you send an email to the user containing a link like changepass.php?email=<address>&key=<key>.

When the user opens this URL, you get the email address and key as parameters and can check your database, whether the email and key are matching and the timestamp is not too old. If this is ok, you allow the user to change his pw. If this is not ok, you show an error message.

Answer 3

Better approach:

Create one php page forgotPassword.php.

If a user forgots its password, save the following information:

• activationid, userid, random-activationcode, timestamp

Now send out a link forgotPassword.php?activationid=1234&random-activationcode=56789

If the user clicks on the link, open the page and present a form where the user can reset its password. If the page is expired (compare with timestamp) present a "page not available" message instead.

Best, Christian

Answer 4

Better way in my opinion is to generate random hash associated with user's email and creation timestamp.

Then send to the user an url like:

http://example.com/activate.php?email=my@email.com&token=fdeW3tx

Then check in this file if email and token exist and if current time is less than creation time + 30 minutes.

If so, pass activation.

Answer 5

There's no need to have a dedicated file for each confirmation. The confirmation code can be passed as a query parameter in the URL:

http://example.com/verifyme.php?confirmation=XXXXX

The script would retrieve it via

$code = $_GET['confirmation'];

and then the confirmation/deactivation business takes place in the database. The verifyme page would always be present, but simply not do anything unless a code is passed in.