Create a password reset link that expires in 24 hours in PHP [closed]

Question

It's difficult to tell what is being asked here. This question is ambiguous, vague, incomplete, overly broad, or rhetorical and cannot be reasonably answered in its current form. For help clarifying this question so that it can be reopened, visit the help center.

Closed 8 years ago.

I am a newbie to PHP. I want to create a module in which the portal manager creates "Users" with a temporary password.

1. Once user is created, that particular user should receive email with a link that expires in 24hrs.
2. The Manager conveys the temporary password to user by some other means.
3. If the User clicks email link within 24hrs, it should ask for temporary password, new password and have a confirm new password field.
4. If temporary password is correct, then replace temporary password with new password in the database.

How should I implement this?

Answer 1

I can't write it for you because I have no idea how your application is structured, but this would be the general approach I'd take:

1. User is created, presumably with a username, and these details are put in a database.
2. The temporary password is generated as a random string. Store a hash (MD5, SHA - google them if you don't know) in the database along with a timestamp of NOW()
3. User logs in with username and temporary password. If the username and password match, and the current time minus the time logged is less then 24 hours, then ask for a new password. Do the same procedure, hash it and store it in the database. When they next log in, check the hashes match.

Does that make sense or are any parts totally alien and need explained further?

Answer 2

One option is to have a parameter in the link that you store in a database along with the expiry date. If there is no such parameter, the link is not accepted. If there is a parameter, you can check in the database the expiry date. If it is valid then you proceed to the change password page.

Example link:

http://www.example.com/updatepass?key=a8s67as78df7g96sd9fg6sdfg

In a database table with this structure:

reset_id, user_id,  reset_key, reset_timeout, reset_temp_password

You could verify the key parameter, then the temporary password. user_id would be used to join to the user table where you store user information.