Session Security for password reset
Just finished coding a password reset system and just wanted to check no-one could think of any exploits for it.
What happens is:
User inputs an email address.
The system checks an account exists for it, and if it does:
A random hash is saved in a session variable.
That hash is also emailed to the user.
The user clicks the link in the email which is in the format:
If the session key and the email key match, the user is given the option to reset the password.
Obviously you must be on one computer for the whole time, eg: (cant click the reset link on your phone) but anyone see any gaping flaws with it?