A very common function, the user forgot the password, by entering the previously registered mail, we send a link to the user's mailbox to reset the password. User name + random string + expiration time, then encrypt with MD5, is this design feasible? How do I clear an expired identifier if the user does not have a click link?
Reply content:
A very common function, the user forgot the password, by entering the previously registered mail, we send a link to the user's mailbox to reset the password. User name + random string + expiration time, then encrypt with MD5, is this design feasible? How do I clear an expired identifier if the user does not have a click link?
The entire process:
- Registration requires each user to use a unique mailbox, sign up and send a message to the user's mailbox
- Find password to ask the user to fill in the email address, prompting the user if you do not remember the address please search in the mailbox
- Recover password function limit can only use three times per account (only three messages), use the cache to complete this count
- When a password is retrieved, a random string is written to the cache as token, which is valid for one day, sending a link containing tokens to the user's mailbox
- Users from the link back to verify the validity of Token, and then prompt to fill in the new password, and then submit the new password and Token to the backend to complete the change of password operation
- Delete Token Cache
