I re-read my post and it wasn't that clear. Let me restate.
1. If user wants to reset their password, they will request it by clicking a link, verifying their email and that it matches the email on file for the username they are trying to reset the password for. 2. If successful, user will sent a link. To prepare this link, a unique string (uuid) and the date will be combined into one string, then hashed. The uuid and date will also be entered into a table called "resetRequests", along with the member ID of the request. Lastly, a date will be entered into the table so that an expiration can be enforced. ex. company.com/resetPW.cfm?key=LKDJFLKDJFLKDJFDLKJ&member_id=324 3. Upon clicking the link, the 'resetRequests' table would be queried for the last request in the table matching the memberID in the link. The UUID and date from the table would be hashed, and that hash would be compared to the 'key' value in the string. If they match, then it is a valid, secure request. 4. Lastly, the value of now() would be compared to the datetime in the result set, and if the time diff is less than 24 hours, the request will be granted. 5. From here, the user will be presented with a small form where they can enter in a new password and password hint. Sound ok? -- Open BlueDragon Public Mailing List http://www.openbluedragon.org/ http://twitter.com/OpenBlueDragon mailing list - http://groups.google.com/group/openbd?hl=en !! save a network - please trim replies before posting !!
