• 0 Vote(s) - 0 Average
  • 1
  • 2
  • 3
  • 4
  • 5
Tips on implementing password reset

#1
[eluser]Krzemo[/eluser]
Hi,

Im working on a password reset (set new one) functionality for my webapp and im a bit stuck due to security problem. It works more less this way:
1) user clicks link and is taken to controller/view where login and email have to be provided
2) in next controller it is checked if given login and email exist in DB and if so, hash is generated and stored in users table and email with reset link is sent
Quote:http://server.com/login/reset/51/868ecef...4603bdf28b
where 51 is user.
3) link from above is taking to 3 inputs form (one hidden for user id) where user sets new password and this is where it appeard to me that I have to work out more secure approach as keeping it this way anyone could submit a form and set a new password for any user.

I was thinking of checking a referer in password reseting controller, limiting time in which user can reset password after receiving email, but there is also one idea...

I thought it would be nice if I could somehow pass a variable direectly between controllers (user id in this case) without post/get. Is it possible in CI?

Do you have any ideas. experiences in this field? Can you please share some?
Thnx

#2
[eluser]Crimp[/eluser]
New password:

1. Old password
2. New password
3. Repeat new password

Forgotten password/activation:

At 3) The controller method (login/reset) checks the validity of the hash against the db entry. If no match, no reset -> exit. You supply the new password (which can be changed, like above).

#3
[eluser]Colin Williams[/eluser]
Yeah, I wouldn't let them set the new/reset password. Generate one randomly and email it to them. They could then login with that temp password and use the password change feature.

Quote:I thought it would be nice if I could somehow pass a variable direectly between controllers (user id in this case) without post/get. Is it possible in CI?

Well, it's possible with PHP.

Code:
class Example extends Controller {

   function something()
   {
      $this->other_method();
   }

   function other_method()
   {
      return 'something';
   }

}

But can you pass anything from one HTTP request to another without including it in POST or GET data? Sure. That's where Sessions and Cookies are useful.


Digg   Delicious   Reddit   Facebook   Twitter   StumbleUpon  


  Theme © 2014 iAndrew  
Powered By MyBB, © 2002-2019 MyBB Group.