-w
At 10:33 PM 1/4/2004, you wrote:
> >For best practices-sake, if the user forgets their password, you should
> >only be able to generate a new one and email it out
>
>I prefer not to send any password via mail (auto or user-generated. If a
>user forgets his/her password we do a couple of things:
>
>1- user must type the registered email in his account (assuming you ask
>for an email when registering and it is unique)
>2- an email with a link (which holds a random UUID) is sent to the user's
>3- the UUID and the user id is stored in the database along with date/time
>4- user has 24 hours to click on the link in the email... after this the
>link will be invalid (the link will also work only once...)
>5- when the user clicks the link, he/she gets two textfields to provide a
>new password (new password and confirmation)
>6- after that the password is reset to the new value
>
>a little complex but we mention this to the user in the emails sent that
>it is for his/her best interest not to send any kind of passwords via mail.
>
>hth
>
>mauricio
>
>----------
>[
[Todays Threads] [This Message] [Subscription] [Fast Unsubscribe] [User Settings]
