TalkPHP - View Single Post

bluesaga · 10-29-2007, 10:25 AM

What i normally do is have an additional column on the table say for example "password_reset_key".

You then set a randomised key (md5(time() . $salt) i normally use), and email that to the user, the user can then change his/her password if it is the official user. If it is not the owner of the account he/she can simply ignore the forgot password request and live on with the same user and password credentials.

Note: Its good to throttle the amount of requests from a single IP address on the page used to reset the password, as brute force can be done if the password_key's aren't that long....

10-29-2007, 10:25 AM	#7 (permalink)
bluesaga Super Moderator Join Date: Sep 2007 Posts: 165 Thanks: 0	What i normally do is have an additional column on the table say for example "password_reset_key". You then set a randomised key (md5(time() . $salt) i normally use), and email that to the user, the user can then change his/her password if it is the official user. If it is not the owner of the account he/she can simply ignore the forgot password request and live on with the same user and password credentials. Note: Its good to throttle the amount of requests from a single IP address on the page used to reset the password, as brute force can be done if the password_key's aren't that long.... __________________ Halo 3 Cheats