How the Web site designs user password reset features

Because to do a member system function, I need to set the user registration if you forget the password will need to reset the password, then how to design the password reset function? How to make it reasonable, let's look at it together.

User flow:

1. The user forgets the password, comes to the password reset interface

2. User input email address, click Reset Password button

3. Users receive a password reset message, which has a link to reset the password, this link has an expiration date

4. The user clicks the link, comes to the password resets the page, enters the new password, completes

There is no innovation in this process, and many websites use this process

Backend Implementation mode:

1. When the user enters the email address, verifies this email, if exists in the database, then obtains the user's user_id

2. Encoding the user_id and the current timestamp into a hash requires a key to be prepared in advance, and the key exists only on the server. HASH = MD5 (user_id + timestamp + KEY)

3. Generate a URL that comes with the hash and user ID just generated and timestamp, such as http://domain.com/reset-password.php?hash=HASH&user_id=123xtamp= 1392121211

4. When-three-lian-user access to this URL, check the hash is legitimate: hash = = MD5 (user_id + timestamp + KEY)

5. Check that the timestamp is expired

6. If all checks pass, then display a new password form to the user

The benefits of this approach are:

1. No additional data sheets are required

2. Do not worry about the parameters are maliciously modified by the user, because to check whether the hash is equal to the number of parameters of the MD5

3. Password reset URL with time stamp

4. If the key is set long enough to be complex enough, the hash is considered absolutely safe.

Cases

send-reset-email.php:

The code is as follows

Copy Code

$KEY = "Something really long long long long long and secret"; $email = $_post[' email ']; $user = Get_user_by_email ($email); if ($user && $user [' ID ']) { $time = time (); $hash = MD5 ($user [' id ']. $time. $KEY); $url = "http://domain.com/reset-password-form.php?id=". $user [' id ']. ' &timestamp= '. $time. ' &hash= '. $hash; Send_email ($email, ' Reset password email from xxx.com ', ' please click the following link to reset Password '. $url) }

reset-password-form.php:

code is as follows

copy code

$KEY = "Something really long long long" D secret "; $hash = $_get[' hash ']; $user _id = $_get[' id ']; $timestamp = $_get[' timestamp ']; if ($hash = = MD5 ($user _id. $timestamp. $KEY)) {     if (Time ()-$timestamp > 3600)// One hour     {         die (' link expired ');     } } Else {     die (' Invalid parameters '); } //validation passed If ($_post[' New_password ']) {     reset_user_password ($user _id, $_post[' New_password ']);     die (' Password changed successfully '); } Else {     echo '         <form action="Reset-password-form.php?hash= $hash &id= $user _id&timestamp= $timestamp" method= "POST"              New Password: <input type= "password" name= "New_password"             <input type= "Submit" value= " Submit "         </form>     ' }