What is the general "User password reset" algorithm?

Source: Internet
Author: User
Keywords Php mysql security password
For example, when a user receives an email Password ResetLink, click the link to open the Reset Password"Page, the page is generally only two text boxes: Password box and password confirmation box, this time when users submit how to ensure security? The main way is to ensure that the reset 确实是Email链接里指定的用户Password (not someone else's password)?

Add:
Reset Password Form In addition to the above mentioned a password box and a password confirmation box, I think there is usually a user_id such as a hidden box it? It seems that modern browsers can modify the actual value of the hidden box, and then submit it to change the other person's password!

Reply content:

For example, when the user email received a link to reset password, click the link to open the " Reset Password " page, the page generally only two text boxes: Password box and password confirmation box, this time the user submitted how to ensure security? What is the main guarantee of resetting the 确实是Email链接里指定的用户 password (not someone else's password)?

Add:
Reset Password Form In addition to the above mentioned a password box and a password confirmation box, I think there is usually a user_id such as a hidden box it? It seems that modern browsers can modify the actual value of the hidden box, and then submit it to change the other person's password!

You take a closer look at that link, there is a random token parameter, click on the link if token does not match the error page, matching is the Change Password page, and token is followed by the password to the background, backstage or to be checked again. As for tokens, it must be in the back-end database, and the longer the more secure. If the simple point can use the UUID algorithm as the generation token algorithm.

Links are sent to the user's mailbox, that is, only access to the mailbox can be linked, there is a layer of security verification has almost guaranteed that "Open password reset link" is the person who needs to reset the password. You can further increase the security level by making the token in the link shorter or verifiable only once.

Add the answer upstairs. The validity of the token is added only once. More secure. If you want to increase security. The source of the URL can be restricted to the user's corresponding mailbox service provider. In fact, there is an expiration date and only one time is enough.

  • Contact Us

    The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

    If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

    A Free Trial That Lets You Build Big!

    Start building with 50+ products and up to 12 months usage for Elastic Compute Service

    • Sales Support

      1 on 1 presale consultation

    • After-Sales Support

      24/7 Technical Support 6 Free Tickets per Quarter Faster Response

    • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.