Home > Tutorials > PHP Tutorials

What is the general "User password reset" algorithm?

Source: Internet
Author: User
Keywords Php mysql security password
Developer on Alibaba Coud: Build your first app with APIs, SDKs, and tutorials on the Alibaba Cloud. Read more >
For example, when a user receives an email Password ResetLink, click the link to open the Reset Password"Page, the page is generally only two text boxes: Password box and password confirmation box, this time when users submit how to ensure security? The main way is to ensure that the reset 确实是Email链接里指定的用户Password (not someone else's password)?

Add:
Reset Password Form In addition to the above mentioned a password box and a password confirmation box, I think there is usually a user_id such as a hidden box it? It seems that modern browsers can modify the actual value of the hidden box, and then submit it to change the other person's password!

Reply content:

For example, when the user email received a link to reset password, click the link to open the " Reset Password " page, the page generally only two text boxes: Password box and password confirmation box, this time the user submitted how to ensure security? What is the main guarantee of resetting the 确实是Email链接里指定的用户 password (not someone else's password)?

Add:
Reset Password Form In addition to the above mentioned a password box and a password confirmation box, I think there is usually a user_id such as a hidden box it? It seems that modern browsers can modify the actual value of the hidden box, and then submit it to change the other person's password!

You take a closer look at that link, there is a random token parameter, click on the link if token does not match the error page, matching is the Change Password page, and token is followed by the password to the background, backstage or to be checked again. As for tokens, it must be in the back-end database, and the longer the more secure. If the simple point can use the UUID algorithm as the generation token algorithm.

Links are sent to the user's mailbox, that is, only access to the mailbox can be linked, there is a layer of security verification has almost guaranteed that "Open password reset link" is the person who needs to reset the password. You can further increase the security level by making the token in the link shorter or verifiable only once.

Add the answer upstairs. The validity of the token is added only once. More secure. If you want to increase security. The source of the URL can be restricted to the user's corresponding mailbox service provider. In fact, there is an expiration date and only one time is enough.

    • This article is an English version of an article which is originally in the Chinese language on aliyun.com and is provided for information purposes only. This website makes no representation or warranty of any kind, either expressed or implied, as to the accuracy, completeness ownership or reliability of the article or any translations thereof. If you have any concerns or complaints relating to the article, please send an email, providing a detailed description of the concern or complaint, to info-contact@alibabacloud.com. A staff member will contact you within 5 working days. Once verified, infringing content will be removed immediately.

    Related Keywords:
    oracle user password reset postgres reset user password reset sql user password mysql reset user password unix reset user password oracle reset user password drupal reset user password

    Contact Us

    The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

    If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

    What's Trending
    Top 10 Tags
    datastax versions naming convention zookeeper client class definition md5 microsoft sql server 2005 data structures exception handling error handling
    Top 10 Keywords
    microsoft download center down wordpress address url site address url wordpress address url windows installer 4 0 download 302 not found web address url definition site address url wordpress db2 integer mac os installation step by step pdf abbreviation for return

    A Free Trial That Lets You Build Big!

    Start building with 50+ products and up to 12 months usage for Elastic Compute Service

    Get Started for Free

    • Sales Support

      1 on 1 presale consultation

      Chat Contact Sales

    • After-Sales Support

      24/7 Technical Support 6 Free Tickets per Quarter Faster Response

      Open a Ticket

    • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.

      Learn More