CodingForums.com - View Single Post - Best way to allow users to reset a password.

tangoforce · 10-05-2012, 12:50 AM

No!

As I've told you before, just generate the uniqid() when the user CLICKS THE FORGOT PASSWORD LINK.

Then store it in the table and send the email with the link.

When the user clicks it, check the user id in the link, select their record and check that the key from the link matches what is in the reset column. If it is, it's the legitimate user. If not then output an error.

The reason I don't want you to generate a uniqid() when the users register is because if someone hacks your site and gets into your db and grabs your reset column they can screw over every single user of your site. Therefore you only put it there when its needed.

10-05-2012, 12:50 AM	PM User \| #26
tangoforce Senior Coder Join Date: Feb 2011 Location: Your Monitor Posts: 3,668 Thanks: 46 Thanked 456 Times in 444 Posts	No! As I've told you before, just generate the uniqid() when the user CLICKS THE FORGOT PASSWORD LINK. Then store it in the table and send the email with the link. When the user clicks it, check the user id in the link, select their record and check that the key from the link matches what is in the reset column. If it is, it's the legitimate user. If not then output an error. The reason I don't want you to generate a uniqid() when the users register is because if someone hacks your site and gets into your db and grabs your reset column they can screw over every single user of your site. Therefore you only put it there when its needed. __________________ Please don't be rude: Put your php code in [php][/php] tags. It is a sticky topic at the top of the forum and it HELPS us to HELP YOU! TIP: Coding styles and $end errors :::::::::: TIP: Warning: Cannot modify header information - headers already sent :::::::::: TIP: Quotes / Parse error: syntax error, unexpected T_.. PHP Code: `//Please don't use this for your form processing: if (isset($_POST['submit'])) //Internet explorer has a bug and does not always send the submit value.` Explanation: The IE if(isset($_POST['submit'])) bug explained.