El Tue, 26 Oct 2010 14:31:17 +0200
Alexander Burger <a...@software-lab.de> escribi=C3=B3:
> On Sat, Oct 23, 2010 at 12:18:45AM +0200, Javier wrote:
> > Alex, please add a feature to reset the password, as I don't
> > remember
> Thinking about it: What would be the best way?

Try this:

1. When the user presses reset pass the button on a valid user, generate
a random password.
2. Store it in a special field in the User object (rpass?) along
with the date of which that random pass was generated (rdate?)
3. Send it to the user in an email like this:
Subject: Password reset for user (username) at (name-of-the-site)

Someone requested a password reset for your account at
(name-of-the-site), if you indeed want to reset your password, please
log in with the following information:
        Username: (username)
        Password: (rpass)

If you don't want to change your password now, just ignore this email,
the above credentials will expire in 24 hours, or the next time you
log in normally.

4. Modify the login process in the following way:
        * First check for the stored password as usual, if it's valid,
          just log in normally, and wipe rpass and rdate if they exist.
        * If the regular pass fails, check whether rpass is not null,
          and rdate is not more than one day in the past. If the
          password matches, log in the user and take him/her to the
          password change form.

I think the above procedure should be acceptably easy to use, implement
and secure.

UNSUBSCRIBE: mailto:picol...@software-lab.de?subject=unsubscribe

Reply via email to