How the Web site designs user password reset features

Source: Internet
Author: User
Tags hash md5 reset

Because to do a member system function, I need to set the user registration if you forget the password will need to reset the password, then how to design the password reset function? How to make it reasonable, let's look at it together.

User flow:

1. The user forgets the password, comes to the password reset interface

2. User input email address, click Reset Password button

3. Users receive a password reset message, which has a link to reset the password, this link has an expiration date

4. The user clicks the link, comes to the password resets the page, enters the new password, completes

There is no innovation in this process, and many websites use this process

Backend Implementation mode:

1. When the user enters the email address, verifies this email, if exists in the database, then obtains the user's user_id

2. Encoding the user_id and the current timestamp into a hash requires a key to be prepared in advance, and the key exists only on the server. HASH = MD5 (user_id + timestamp + KEY)

3. Generate a URL that comes with the hash and user ID just generated and timestamp, such as http://domain.com/reset-password.php?hash=HASH&user_id=123xtamp= 1392121211

4. When-three-lian-user access to this URL, check the hash is legitimate: hash = = MD5 (user_id + timestamp + KEY)

5. Check that the timestamp is expired

6. If all checks pass, then display a new password form to the user

The benefits of this approach are:

1. No additional data sheets are required

2. Do not worry about the parameters are maliciously modified by the user, because to check whether the hash is equal to the number of parameters of the MD5

3. Password reset URL with time stamp

4. If the key is set long enough to be complex enough, the hash is considered absolutely safe.

Cases

send-reset-email.php:

The code is as follows Copy Code


$KEY = "Something really long long long long long and secret";
$email = $_post[' email '];
$user = Get_user_by_email ($email);
if ($user && $user [' ID '])
{
$time = time ();
$hash = MD5 ($user [' id ']. $time. $KEY);
$url = "http://domain.com/reset-password-form.php?id=". $user [' id ']. ' &timestamp= '. $time. ' &hash= '. $hash;
Send_email ($email, ' Reset password email from xxx.com ', ' please click the following link to reset Password '. $url)
}

reset-password-form.php:

  code is as follows copy code


$KEY = "Something really long long long" D secret ";
$hash = $_get[' hash '];
$user _id = $_get[' id '];
$timestamp = $_get[' timestamp '];

if ($hash = = MD5 ($user _id. $timestamp. $KEY))
{
    if (Time ()-$timestamp > 3600)// One hour
    {
        die (' link expired ');
    }
}
Else
{
    die (' Invalid parameters ');
}

//validation passed

If ($_post[' New_password '])
{
    reset_user_password ($user _id, $_post[' New_password ']);
    die (' Password changed successfully ');
}
Else
{
    echo '
        <form action="Reset-password-form.php?hash= $hash &id= $user _id&timestamp= $timestamp" method= "POST"
             New Password: <input type= "password" name= "New_password"

            <input type= "Submit" value= " Submit "
        </form>
    '
}

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.