rondog Posted October 31, 2007 Share Posted October 31, 2007 Hi, I am doing a PHP/MySQL membership system in flash and I have everything working so far. My only issue is the "forgot password" part. It works, but the way I currently have it set up, any user that does it can change any users password. What happens is they click "forgot password." They are then prompted to enter their Username. Whatever email that username is tied to, it sends a confirmation message to their inbox with a link that looks like: http://website.com/setpw.php?username=rondog&newpass=d520b951e2c7890e3ca6d2cf76cc4sg1 which then uses the get method and sets the new password whos equal to that username. so if the user sees that string, potentially they can change the username= to a different user and have access to that users account. I dont know how to hide that username. The reason I am doing it this way, is I have no way of knowing which user it is. I thought of one way and that would be keeping an MD5'ed version of their username in the DB as well, but any PHP developer would know how to MD5 someone's username and just put that in. So I guess my question is what would be a secure way of going about this? Quote Link to comment Share on other sites More sharing options...
rajivgonsalves Posted October 31, 2007 Share Posted October 31, 2007 well a better approch would be generating a random password on request, reseting the password in the database to that random password and just sending the user her mail on the new password more on random password http://www.totallyphp.co.uk/code/create_a_random_password.htm Quote Link to comment Share on other sites More sharing options...
rondog Posted October 31, 2007 Author Share Posted October 31, 2007 See it is setting a random password, but not until they click the link to confirm, because what if some jerk user starts entering people's user names and resetting everyones passwords? Quote Link to comment Share on other sites More sharing options...
rajivgonsalves Posted October 31, 2007 Share Posted October 31, 2007 you can do some validations before that like ask them to enter their username and date of birth or username and email address Quote Link to comment Share on other sites More sharing options...
revraz Posted October 31, 2007 Share Posted October 31, 2007 Create a second value, a confirmation ID, and that has to be sent along with the the request and it's only valid for that one time. Quote Link to comment Share on other sites More sharing options...
rondog Posted October 31, 2007 Author Share Posted October 31, 2007 But I still wont know which user to change. But making a confirmation ID gave me another idea. I'll have a field called confKey in MySQL that when they register it created a random 10letter&digit key that doesnt get used until they change their password. Then in my UPDATE clause I can do WHERE confKey = '$confKey' and then I will generate a new confKey and update the key. I think that will work. Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.