Hello and welcome to our community! Is this your first visit?
Register
Enjoy an ad free experience by logging in. Not a member yet? Register.
Results 1 to 3 of 3
  1. #1
    New Coder
    Join Date
    Jan 2009
    Posts
    58
    Thanks
    4
    Thanked 3 Times in 3 Posts

    Session Security for password reset

    Hello,
    Just finished coding a password reset system and just wanted to check no-one could think of any exploits for it.


    What happens is:

    User inputs an email address.
    The system checks an account exists for it, and if it does:
    A random hash is saved in a session variable.
    That hash is also emailed to the user.

    The user clicks the link in the email which is in the format:
    site.com/reset.php?key=123456789

    If the session key and the email key match, the user is given the option to reset the password.

    Obviously you must be on one computer for the whole time, eg: (cant click the reset link on your phone) but anyone see any gaping flaws with it?

  • #2
    God Emperor Fou-Lu's Avatar
    Join Date
    Sep 2002
    Location
    Saskatoon, Saskatchewan
    Posts
    16,979
    Thanks
    4
    Thanked 2,659 Times in 2,628 Posts
    The only real problem I see of using sessions within the reset password functionality is that the user requires cookies in order to perform a reset.
    Personally, I'd suggest that a simple UUID() generation for a key sent via email is sufficient. The chance of collision before consuming it is so small it likely is of no concern to add on the session check. If your not comfortable with that, perhaps stacking that on with a request to enter a value within an email would be better. The only thing I'm suggesting overall is that you don't focus on the use of sessions at all, but I do suggest time limitation would be wise.
    PHP Code:
    header('HTTP/1.1 420 Enhance Your Calm'); 

  • Users who have thanked Fou-Lu for this post:

    tmsumon (06-25-2013)

  • #3
    New Coder
    Join Date
    Feb 2012
    Posts
    29
    Thanks
    1
    Thanked 1 Time in 1 Post
    Keeping this stuff in session is SO SO, What if email will be
    received after session expires, unique hash for password reset can be stored in db. It will also avoid session poisoning in some way.


  •  

    Posting Permissions

    • You may not post new threads
    • You may not post replies
    • You may not post attachments
    • You may not edit your posts
    •