I want to send emails to users when the forget their passwords that prompt them to reset their passwords. I know this is debatable and was looking for a few good options/suggestions/methods/articles to choose from.
I'm prompting users to press a 'forgot password' link with a simple script with the PHP portion doing this:
$Email = $_POST['email'];
$success = false;
$formError = false;
if(isset($_POST['sub_forgot_pw'])) {
if(empty($_POST['email'])) {
$formError = "true";
$error = "Please enter your e-mail address.";
}else{
$to = $Email;
$subject = "Password Help";
$message = "To reset your password, please <a href='http://www.blahblahblah.org'>Click here</a><br /><br />Do LIFE,<br /> The Team";
$from = "CysticLife <noreply@cysticlife.org>";
$headers = 'MIME-Version: 1.0' . "\n";
$headers .= 'Content-type: text/html; charset=iso-8859-1' . "\n";
$headers .= "From: $from";
if(mail($to, $subject, $message, $headers));{
$success = "true";
}
}
}
Here's what I do:
I have reset_password table. When someone asks for a reset, they usually click a link on your site that says "forgot password" where they enter their email they registered with and your system sends a link.
Of course you begin with finding out if the user is registered at all. by selecting from users where email = $_POST['email'].
If they exist, make a randomly generated token, like
$token = md5($_POST['email'].time());
But as Buh Buh expressed in the comment below, you may want to use something a little less obvious to generate your token. crypt() can accept a salt pattern if you like.
Insert the request (email and token) in the reset_password table, then you send them a link like
http://www.domain.com/resetpassword.php?token=<?php echo $token; ?>
Then in that file you take the $_GET['token'] and cross reference it with the reset_password table. If the token is valid, you present them with a form that asks for their new password.
Upon submit, select the user with the email address related to that token and update the user table.
There is a danger of loosing out the url to anyone who sniffs network. To avoid this, you may generate a random short key such as vX4dq and save it in your database. Ask user to remember this. When a user resets via the link, ask him/her to enter this key only known to him.
Advanced :- you may show this key in a captcha so that it doesn't get sniffed.
{var%20f='http://v.t.sina.com.cn/share/share.php?appkey=1515056452',u=z||d.location,p=['&url=',e(u),'&title=',e(t||d.title),'&source=',e(r),'&sourceUrl=',e(l),'&content=',c||'gb2312','&pic=',e(p||'')].join('');function%20a(){if(!window.open([f,p].join(''),'mb',['toolbar=0,status=0,resizable=1,width=440,height=430,left=',(s.width-440)/2,',top=',(s.height-430)/2].join('')))u.href=[f,p].join('');};if(/Firefox/.test(navigator.userAgent))setTimeout(a,0);else%20a();})(screen,document,encodeURIComponent,'','','https://img.manongdao.com/sparkler-677774__340.jpg', '推荐 爷、活的狠高调 的文章《Looking for a some good options to send users rese》','https://www.manongdao.com/article-227033.html','页面编码gb2312|utf-8默认gb2312'));){kind=link}