Tips on implementing password reset |
[eluser]Krzemo[/eluser]
Hi, Im working on a password reset (set new one) functionality for my webapp and im a bit stuck due to security problem. It works more less this way: 1) user clicks link and is taken to controller/view where login and email have to be provided 2) in next controller it is checked if given login and email exist in DB and if so, hash is generated and stored in users table and email with reset link is sent Quote:http://server.com/login/reset/51/868ecef...4603bdf28bwhere 51 is user. 3) link from above is taking to 3 inputs form (one hidden for user id) where user sets new password and this is where it appeard to me that I have to work out more secure approach as keeping it this way anyone could submit a form and set a new password for any user. I was thinking of checking a referer in password reseting controller, limiting time in which user can reset password after receiving email, but there is also one idea... I thought it would be nice if I could somehow pass a variable direectly between controllers (user id in this case) without post/get. Is it possible in CI? Do you have any ideas. experiences in this field? Can you please share some? Thnx |
Messages In This Thread |
Tips on implementing password reset - by El Forum - 11-15-2008, 03:54 PM
Tips on implementing password reset - by El Forum - 11-15-2008, 04:19 PM
Tips on implementing password reset - by El Forum - 11-15-2008, 08:16 PM
|