>only be able to generate a new one and email it out
I prefer not to send any password via mail (auto or user-generated. If a user forgets his/her password we do a couple of things:
1- user must type the registered email in his account (assuming you ask for an email when registering and it is unique)
2- an email with a link (which holds a random UUID) is sent to the user's email
3- the UUID and the user id is stored in the database along with date/time
4- user has 24 hours to click on the link in the email... after this the link will be invalid (the link will also work only once...)
5- when the user clicks the link, he/she gets two textfields to provide a new password (new password and confirmation)
6- after that the password is reset to the new value
a little complex but we mention this to the user in the emails sent that it is for his/her best interest not to send any kind of passwords via mail.
hth
mauricio
[Todays Threads] [This Message] [Subscription] [Fast Unsubscribe] [User Settings]
