Hi Guys, I know this isn't directly related to OpenBD, but that's what I'm using and this community is pretty slick. So, I will ask.
I'm working on a site and I am hashing all user passwords. This way, we don't have an actual copy of their password. Because of this, if someone forgets their password, we can't just email it to them, because we don't actually know it. So instead, we will reset their password to something random, and email it to them. But, I was thinking of maybe just emailing them a link, which when clicked, THEN resets their password, and displays it on screen so they use it to login, then change their password to something they remember. Is that the best way? I'm thinking it might be better since it avoids sending a password in clear text via email, and if someone starts putting in other people's user names it won't matter because you have to actually get the email to the email on file to click the link and reset it. If I do it this way, what's the best way to do it? I'm thinking I'm going to build a table for reset requests. I want to have a url that is encrypted, so people can't abuse or toy with the script. something like company.com/resetpw.cfm? key=lkJLDKJFDLJKFLDKJFDLKJFDLFKJD That key would be a hash of a string comprised of the date of the request, their member id, and a random string. I would keep the date of the request, member id, and random string in a table. If hashing what is in the table matches the hash in the url, and the date is less than 24 hours from the current NOW() time, then it's a valid request, and I will preset the user with the ability to enter in a new password. Sound logical? -- Open BlueDragon Public Mailing List http://www.openbluedragon.org/ http://twitter.com/OpenBlueDragon mailing list - http://groups.google.com/group/openbd?hl=en !! save a network - please trim replies before posting !!
