0

I had been reading through many pages about resetting password with token.

I understand it up to the point of getting the token from the link, $_GET['token'];

But i am not following after that, what do i do with the token? Do i just check if that exist in the database? Because i read on this link about cross referencing in the reset_password table, but i dont understand what that means. Looking for a some good options to send users reset password emails

Do i just check if the token exist and pick the email that is on the same row? Then i allow the user to reset password using that email?

Community
  • 1
  • 1
Benyaman
  • 451
  • 2
  • 10
  • 25

2 Answers2

1

The idea behind using is a token is security reason.

You usually create your own token using information only visible to you.

Consider a scenario where someone understand that to reset some one's password all he has to do is get to a specific link and add the email to that &email={user_email}

That would make is extremely unsafe.

But if you hash a token with information only you know of, you can do something like:

&email={user_email}&token={token}

And then retrieve the token in your code, check if it fits your specific rules or what not, and only then reset that email password.

Let me give you an example of how to hash it in a way only visible to you and enjoy the benefits of extra safe features.

Lets say you hash it using the email + today's date:

$token = md5($email+date('Y-m-d',time()))

This will make the token valid only for today.

Dalai Lama
  • 404
  • 4
  • 20
  • i think i kind of understand, i understand the token attached on the link that is generated, but the email address isnt right? So if i hash it with $email and something else, and what i do next is to check if that exist in the database? If it does, i pull the email address next to that token and then i allow resetting the password? – Benyaman Jun 24 '14 at 15:02
  • You have two options. You can either hash the token and send it as a different get variable, along side the email variable, or you can try and put the email with the token (something like bla@bla.com_1aisd2309asiod and then seperate it in the code using the php `explode` function. Again.. just an example. – Dalai Lama Jun 25 '14 at 07:01
  • TBH yes you can also do what you suggested, pull the email from the db that co responds to that hash, but I wouldn't suggest doing it. The best it send both email and token, and make sure that that token fits the email hashing you created and if so, reset the pw and send the email with the new password to the user. – Dalai Lama Jun 25 '14 at 07:03
  • For some reason i am not sure why it seems not as safe when the email is in the link? It doesnt matter does it? – Benyaman Jun 25 '14 at 11:05
  • It's safe, you shouldn't be worried about it. – Dalai Lama Jun 25 '14 at 13:54
  • I think i might have to do it the way including the email, because i am having a problem with resetting my password, for some reason my token is returning another email, when i update the password http://stackoverflow.com/questions/24400973/resetting-new-password-token-became-empty/24401394?noredirect=1#comment37756524_24401394 – Benyaman Jun 25 '14 at 14:20
  • Feel free to show me your code, I'll do what I can to assist. – Dalai Lama Jun 25 '14 at 14:24
  • Hi Dalai thanks! I attached the link here http://stackoverflow.com/questions/24411318/resetting-password-but-its-resetting-the-wrong-persons-password – Benyaman Jun 25 '14 at 14:25
  • I see now. I thought the password is being generated. It seems like you are building a form for the user to reset his own password. In this case I'd forget about using a token. What I thought is that you wanted to send the user a new password via his email, in which case it will be sent with a "confirm link". In your case since it all on the same server, it suffice to just check the user **session**. – Dalai Lama Jun 25 '14 at 14:49
  • I just finished it i split the reset into 2 parts, if the token exist it pulls out the email and i session the email onto the submit new password part, and after it resets, the token is set to null and session destroyed. Wondering if its good enough for security wise? – Benyaman Jun 26 '14 at 06:40
  • As I said, if you're doing all of it inside your server using the session is enough to know if the user is the one who is resetting his password. If you were to send a "reset link" to a the user email then it is wise to use the token. – Dalai Lama Jun 26 '14 at 06:43
1

You can ask for the email of the account the user wants to reset the password. You can then verify if the email corresponds to the token, and so send the reset password email.

To avoid security risks, the password-resetting-link(send in the email) could be available only for a couple of hours (8), and the password would be reset ONLY if the user click on it, not before. So nobody can reset your password if he hasn't your token and your email address, and if he has no access to your email account.

Ballantine
  • 338
  • 1
  • 8