Web site development of the user reset password back password function of the implementation principle, this thing is basically in each system now has the function, but the way of implementation is also quite many, this is not much relationship with the database method.
User process: 1. User forgot password, came to password reset interface 2. The user enters the email address, click the Reset Password button 3. The user received a password reset message, which has a link to reset the password, this link has an expiration time of 4. The user clicks the link, comes to the password resets the page, enters the new password, completes this stream Process and there is no innovation, many sites are using this set of processes back-end implementation mode: 1. When the user enters the email address, verify the email, if it exists in the database, then get the user's user_id 2. Encode user_id and current timestamp into hash, A key needs to be prepared in advance and the key exists only on the server. hash = MD5 (user_id + timestamp + KEY) 3. Generate a URL with the hash and user ID you just generated and timestamp, such as http://domain.com/reset-password.php hash=hash&user_id=123xtamp=1392121211 4. When-three-the user accesses this URL, checks whether the hash is legitimate: hash = = MD5 (user_id + timestamp + KEY) 5. Check Check if timestamp is out of date. 6. If all checks pass, then the benefit of displaying a new password form to the user is: 1. No additional data table 2 is required. Do not worry about the parameters by the user malicious modification, because to check whether the hash is equal to the number of parameters of MD5 3. Password reset URL comes with a timestamp 4. As long as the key set is sufficiently long enough to be complex, the hash is considered an absolute safe example send-reset-email.php: The code is as followsCopy Code$KEY = "Something really long long long and secret"; $email = $_post[' email ']; $user = Get_user_by_email ($email); I F ($user && $user [' id ']) {$time = time (); $hash = MD5 ($user [' id ']. $time. $KEY); $url = "http://domain.com/reset-password-form.php?id=". $user [' id ']. ' ×tamp= '. $time. ' &hash= '. $hash; Send_email ($email, ' Reset password email from xxx.com ', ' click on the following link to reset Password '. $url);} Reset-password-form.php: The code is as followsCopy Code $KEY = "Something really long long long and secret"; $hash = $_get[' hash ']; $user _id = $_get[' id ']; $ti Mestamp = $_get[' timestamp ']; if ($hash = = MD5 ($user _id. $timestamp. $KEY)) { if (Time ()-$timestam p > 3600)//One hour { die (' link expired '); }}else{ Die (' Invalid parameters ');} //validation passed if ($_post[' New_password ']) { Reset_user_password ($user _id, $_POST[' New_ Password ']); die (' Password changed successfully ');} else{ Echo ' <form action= "reset-password-form.php?hash= $hash &id= $user _ id×tamp= $timestamp "method=" POST "> New password: <input type=" Password "name=" New_password "> <input type=" Submit "value=" Submit " > </form> ';}
Website development user Reset password retrieve password function implementation principle