Password Reset Link Expiry

2019-05-20 07:36发布

问题:

I wonder whether someone could help me please.

I've been doing quite a bit of research on the 'Password Reset' process and from one of the tutorials I found, I've been able to put the following code together which provides this functionality.

Forgot Password

<?php

// Connect to MySQL
$c = mysql_connect("host", "user", "password");
mysql_select_db("database", $c);

// Was the form submitted?
if ($_POST["ForgotPasswordForm"])
{
    // Harvest submitted e-mail address
    $emailaddress = mysql_real_escape_string($_POST["emailaddress"]);

    // Check to see if a user exists with this e-mail
    $userExists = mysql_fetch_assoc(mysql_query("SELECT `emailaddress` FROM `userdetails` WHERE `emailaddress` = '$emailaddress'"));
    if ($userExists["emailaddress"])
    {
                // Create a unique salt. This will never leave PHP unencrypted.
                $salt = "KEY";

        // Create the unique user password reset key
$password = md5($salt . $userExists["emailaddress"]);


        // Create a url which we will direct them to reset their password
        $pwrurl = "phpfile.php?q=" . $password;

        // Mail them their key
        $mailbody = "Dear user,\n\nIf this e-mail does not apply to you please ignore it. It appears that you have requested a password reset at our website \n\nTo reset your password, please click the link below. If you cannot click it, please paste it into your web browser's address bar.\n\n" . $pwrurl . "\n\nThanks,\nThe Administration";
        mail($userExists["emailaddress"], "", $mailbody);
        echo "Your password recovery key has been sent to your e-mail address.";
    }
    else
        echo "No user with that e-mail address exists.";
}

?>

Reset Password

<?php

// Connect to MySQL
$c = mysql_connect("host", "user", "password");
mysql_select_db("database", $c);

// Was the form submitted?
if ($_POST["ResetPasswordForm"])
{
    // Gather the post data
    $emailaddress = mysql_real_escape_string($_POST["emailaddress"]);
    $password = md5(mysql_real_escape_string($_POST["password"]));
    $confirmpassword = md5(mysql_real_escape_string($_POST["confirmpassword"]));

    $q = $_POST["q"];

    $passwordhint = $_POST["passwordhint"];

    // Use the same salt from the forgot_password.php file
    $salt = "KEY";

    // Generate the reset key
    $resetkey = md5($salt . $emailaddress);

    // Does the new reset key match the old one?
    if ($resetkey == $q)
    {
        if ($password == $confirmpassword)
        {
            // Update the user's password
            mysql_query("UPDATE `userdetails` SET `password` = '$password', `passwordhint` = '$passwordhint' WHERE `emailaddress` = '$emailaddress'");
            echo "Your password has been successfully reset.";
        }
        else
            echo "Your password's do not match.";
    }
    else
        echo "Your password reset key is invalid.";
}

?>

I would now like to add a timed expiry of the link that I send out to the user. I've been looking at the post on the Stackoverflow community and many others, but I've not been able to find what I've been looking for.

I just wondered whether someone could perhaps help me out please and give me a little guidance on how I may accomplish this.

Many thanks.

回答1:

Add a field to the users table with a timestamp when a password reset is requested. When you check if the key matches check the timestamp to see how old it is.

Is this what you mean?



回答2:

The way I do this is to store both the hash that you send the user and the timestamp from when it was generated in the users table.

When they visit the reset page check the hash they give against the one in the database rather than generating it again (doing it this way you can use truly random hashes as you don't have to remember how it was created in the first place) and also check the timestamp.