jimfog Posted August 18, 2015 Share Posted August 18, 2015 I qm trying to implementin forgotten password functionality...as such i have some questions.What hash function should i use for creating the token?Do you append the token to an url where the use must click?...and this url is sent with e-mail of course.How do you check that the user has already clicked the link?Do you use a dedicated table for storing token and its expiry date...apart from these what other would you store in such a table?I do not want to ask other questions for now... Thanks Link to comment Share on other sites More sharing options...
justsomeguy Posted August 18, 2015 Share Posted August 18, 2015 A token doesn't really need to be cryptographically secure so the hashing algorithm isn't a major concern. Yes, you include the token as a URL parameter. The page that they go to which reads the token can do whatever you want, including recording that they clicked on it or even just deleting it from the database so that it's no longer valid. I store the password reset token including a timestamp of when it was requested in the users table. Link to comment Share on other sites More sharing options...
jimfog Posted August 18, 2015 Author Share Posted August 18, 2015 Ok after the user clicks the link...i suppose you invalidate the token-delete it.After invalidation...suppose the user clicks the link in its mail again...and redirect him to the page...what message do you display on them?"Invalid!link dear user"? Link to comment Share on other sites More sharing options...
justsomeguy Posted August 18, 2015 Share Posted August 18, 2015 Literally whatever you want to display. Write a bunch of phrases on little pieces of paper and draw one out of a hat if you want. Although if I went to a page and saw "Invalid!link dear user" I would definitely say that this person doesn't understand English very well. So, play to your audience I suppose. Link to comment Share on other sites More sharing options...
jimfog Posted August 19, 2015 Author Share Posted August 19, 2015 Another question is how do you actually invalidate the token...what method do you use? Link to comment Share on other sites More sharing options...
Ingolme Posted August 19, 2015 Share Posted August 19, 2015 Clear the token from the database if the timestamp is older than the timeout limit. Link to comment Share on other sites More sharing options...
jimfog Posted August 19, 2015 Author Share Posted August 19, 2015 Would i do the same thing(clear the token from the db)if the user clicked the link and reset his/her password?I mean i should invalidate the token when the timeout has expired and when the password was reset? Link to comment Share on other sites More sharing options...
Ingolme Posted August 19, 2015 Share Posted August 19, 2015 Yes, for security it's a good idea to put it in both cases. These are things you should think about. Link to comment Share on other sites More sharing options...
Recommended Posts
Create an account or sign in to comment
You need to be a member in order to leave a comment
Create an account
Sign up for a new account in our community. It's easy!
Register a new accountSign in
Already have an account? Sign in here.
Sign In Now