Best way to allow users to reset a password.
 

Just wondering what the best way is to allow a user to change their password?

Currently, I am thinking to write a page where they enter their username.

Then, I was going to send the user an email, containing a link to click.

The link contains a different page with a form with a field to enter a new password.

Is that good enough or is there a better way to do this?

Thank you in advance for your thought and ideas.

Regards,

LC.

Thats about the only way really LC other than get them to confirm a secret security question answer that they sent when registering when they click that link.

It's never a good idea to store passwords as plaintext and send them by email, storing them as a hash and emailing them a link is really the only practical way.

Ok thank you for confirming that.

How do I determine which user's password to reset? Do I have to pass the user id along in the url when I write the email? Then use that on the page where they enter their new password?

I put a 'draft' version online but it doesn't seem to be sending me an email when I register, which it is supposed to.

Here is my code:
It is saying that the email successfully sent so the mail function seems to be returning true...

Do you know if there is anything I should look into on my host?

Kind regards,

LC.

You can send an email in any part of your code that you want.

mail() or any other mailing function, script or program you may want to use, doesn't depend on a mysql connection.

If you're not receiving an email and you're using the mail() function then you need to look at the 4th and 5th parameter. This is quite a common problem with so many tutorials teaching you to only use the first three parameters.

So they require headers?

Regards,

LC.

Yes but not in the http sense. Well, yes in the way that the headers are at the top of the email seperated by a blank line (like http) but no in the fact that email headers work a bit differently. For the mail() function you have to supply any extra headers as a parameter, not using a header() call.

See this: http://www.php.net/mail

That will help you out with the additional parameters.

Heh I was just on there. Thought it would just work with a simple 3 parameters.

I did have a brief scan over the header part but it was a bit complicated. I'll go over it again.

Regards,

LC.

No I'm afraid not! Unfortunately though, many tutorials teach you to use it with just 3 parameters - no idea why, it just seems to be common practice. My first PHP BOOK (yes, book that I paid money for) did the very same thing :eek: :rolleyes:

Heh so what headers would you say are 'required'?

It says the 'From:' header is but i'm not sure on content-type, mime-version, reply-to,x-mailer etc.

I'm sure I read somewhere that you need to include the mime-version or content-type header if you are sending html??

Regards,

LC.

If you're sending html email then you're best off using a class called phpmailer (google). It's a lot more complex but it'll save you a lot of hassle in the long run.

If you're just sending plain text emails, then all you really need is the From header.

Awesome. I wasn't sure that because I was sending a link inside the email, whether or not it would be classed as sending html?

Also, when the user enters their username to be reset and I send them an email, do I have to pass their specific ID through the URL of the link? Or can I just pass their username through and use that in the query??

Kind regards,

LC.

Many email clients will automaticallt turn a url into a hyperlink even if its just a plain text emai.

It's entirely up to you really. Using a username IMO is a security risk - anyone could use that url if they know other users usernames (eg from your forums). What I would personally do is to create a unique key (uniqid() is useful for that) and store it in the users table in a column called reset (which is also unique). Then use that in the url. When a user clicks the link you select the record by the key and do your thing :thumbsup:

Ah thank you. I'll read into uniqid() right now and see where I get to.

When you say the table column is also unique, what do you mean by that? You mean just explicitly create a separate column or is there a special way to make it unique?

Kind regards,

LC.

Yes in phpmyadmin you can set a column to be unique. If you try to insert a duplicate value it will reject it.

Would you suggest I use the two parameters which are passed to uniqid()?

I notice they are both optional. It looks like it may be a good idea to use the second and set it to TRUE?

Thank you for your help so far.

Kind regards,

LC.