[eluser]Unknown[/eluser]
Hello.
I'm making an authentication system and I got some questions about structure of the users table.
I want to give a user an opportunity to reset his or her password. The user inputs an email and after that I send him a link. When he clicks on it, I show him a new password on some page.
I have a forgotten_password_code in my table, so when user submits his email, I put a hash in this column, and when he clicks on the link I check the hash and generate new password.
But I think it's not very good, because the user can push F5 and get a new password again and again. He can even store this hash somewhere.
So how can I solve this problem? Make some flag, like "is_forgotten_password_code_used" ?
And moreover, if I want to make this link availiable only for 24 hours, and a confirmation link maybe, so I have to keep:
1. confirmation hash
2. forgotten password hash
3. forgotten password flag
4. is_confirmed
5. forgotten_password time
6. confirmation time
I guess it's not very good =\