Only thing I might clarify is in #1: a) You may want a captcha on this form to prevent bots/people from brute-forcing it. b) You may want to skip having the user enter their email - just the userid - since you won't send an email to any email other then the one registered with the account, then having the user enter the email isn't really valuable. It also saves frustration on the user's part about not knowing which email address they registered this account with - their yahoo, their gmail, their hotmail, etc. c) Don't give any other information on the post of this form other then "An Email has been sent.. etc." Even if you didn't send one because the username is not a real username.
On #2: a) not sure I'd bother with the memberid as well - just query the table for the hash - if you get a row, then do the date check, otherwise, its a failure. I guess, tho, it depends on how much you believe in the randomness of a hash (use a big SHA). It may seem like its a lot more improbable that you could guess the hash and the userid together, but over a big 64+ character random string, I'm not sure its THAT much more improbable (have to run the numbers) given what extra information you might be giving away. b) This page is a huge target for a brute-force attack, so you may want to look into ways of making this functionality be on a url that unique for each request, so you can't write a bot to just slam it with random strings. Perhaps use onMissingTemplate. In on the onMissingTemplate method, do your reset query, and if there's no row, then return a 404, otherwise, return the reset form. On May 18, 11:31 am, Jason Allen <[email protected]> wrote: > I re-read my post and it wasn't that clear. > > Let me restate. > > 1. If user wants to reset their password, they will request it by > clicking a link, verifying their email and that it matches the email > on file for the username they are trying to reset the password for. > > 2. If successful, user will sent a link. To prepare this link, a > unique string (uuid) and the date will be combined into one string, > then hashed. The uuid and date will also be entered into a table > called "resetRequests", along with the member ID of the request. > Lastly, a date will be entered into the table so that an expiration > can be enforced. > > ex. company.com/resetPW.cfm?key=LKDJFLKDJFLKDJFDLKJ&member_id=324 > > 3. Upon clicking the link, the 'resetRequests' table would be queried > for the last request in the table matching the memberID in the link. > The UUID and date from the table would be hashed, and that hash would > be compared to the 'key' value in the string. If they match, then it > is a valid, secure request. > > 4. Lastly, the value of now() would be compared to the datetime in the > result set, and if the time diff is less than 24 hours, the request > will be granted. > > 5. From here, the user will be presented with a small form where they > can enter in a new password and password hint. > > Sound ok? > > -- > Open BlueDragon Public Mailing List > http://www.openbluedragon.org/ http://twitter.com/OpenBlueDragon > mailing list -http://groups.google.com/group/openbd?hl=en > > !! save a network - please trim replies before posting !! -- Open BlueDragon Public Mailing List http://www.openbluedragon.org/ http://twitter.com/OpenBlueDragon mailing list - http://groups.google.com/group/openbd?hl=en !! save a network - please trim replies before posting !!
