1

Whenever a user asks for resetting his or her password, a random token is generated and is embedded to the link that will be sent to the user email. I would like to implement token expiry but I was wondering how the system verifies the user other than user clicks on the link and the system compares the token with the one stored in the database.

From the security aspect, does it sufficient enough for user verification for password reset?

How to generate a secure token? What is the most recommended way of doing the password reset in PHP?

Here is the reference link: PHP - How to implement password reset and token expiry

Ghanshyam Nakiya
  • 1,602
  • 17
  • 24
doremi666
  • 121
  • 3
  • 15

1 Answers1

0

Since usually the reset tokens are sent by email, you will be confident that only the intended user will receive this link, the way of generating the tokens depends on you, you can use the approach of the reference link you sent, However, to set expiry date of the token, usually I use this approach:

  1. Have reset password table which its structure will be, UserID, Token, TimeStamp.
  2. When the user clicks on the reset button, the token will be verified and the timestamp will be calculated, so, if the token is set to expire within 24 hours, the timestamp of the request will be calculated and compared to the timestamp stored in the table, if the difference between the two is greater than 24 hours, the token is then become invalid.
Ray A
  • 1,283
  • 2
  • 10
  • 22