In most of our applications that we run our basic authentication is to have
them provide their email address as a username and then a password.
We store that password hashed with salt onto our databases, and have no real
way of knowing what it is. If a user forgets their password then they have
the system email them a link with a URL with a GUID variable that takes them
to a page where they can reset their password to whatever they want again,
and again only its hash is stored in our databases.
Now this is all fine and dandy, except what happens if this person both
forgets their password and changes email, say they changed jobs and no
longer have access to the old email, how do you now authenticate this
person?
Currently, we don't have any secret questions or the like set up, but is
that the only way.
Just curious on some of your ideas out there on how you do authentication,
especially in the case of changed email and forgotten password.
Cheyenne
-------------------------------------------------------------
Annual Sponsor FigLeaf Software - http://www.figleaf.com
To unsubscribe from this list, manage your profile @
http://www.acfug.org?fa=login.edituserform
For more info, see http://www.acfug.org/mailinglists
Archive @ http://www.mail-archive.com/discussion%40acfug.org/
List hosted by http://www.fusionlink.com
-------------------------------------------------------------
