I'm doing a module which allow users to reset password. I noticed how most websites they provide a confirmation link which contain query string that has a unique hash.
My question is: How can I generate this unique hash each time the same user request forgot password? Should I store this hash in database and use it for verification later on? Wil开发者_开发问答l it be safe? Or should I create some sort of algorithm which generate one-time password? How can I generate a OTP?
Yes, you should
- Generate a random reset token. See e.g. this answer.
- Store it in the database (possibly with an expiry time)
- Send e-mail to the user with the reset token.
- User visits the reset password page with the reset token in the query string.
- Check the database to see the user associated with the reset token and if the expiry time hasn't passed.
- If everything checks out, allow the user to reset the password and delete the reset token from the database.
There seems to be a lot a confusion about the generation of the reset token (or whatever you want to call it). Please read the answer I've linked to and don't reinvent the wheel with hashes and weak seeds.
Just using some hash function with user's ID, user's salt (you salt the user's password, right?) and pseudo-random data should be OK:
$pwd_reset_hash = hash ( 'sha256' , $user_id . $user_salt, uniqid("",true));
Store it in the DB (together with time of request) as the reset key for this user
user_id pwd_reset_hash time_requested
===========================================
123 ae12a45232... 2010-08-24 18:05
When the user tries to use it, check that the hash matches the user and that the time is recent (e.g. "reset code is valid for 3 hours" or something like that)
delete it from DB when used or expired
The way to go is indeed generate some kind of random thing and storing it in the database. As soon as the password is changed you remove the relevant record from the table so that the link cant be used again.
- Mail the url to the user, including the "token".
- If the link is visited, check if the token exists, allow user to change password
- Delete the token from the database.
As said already in the other responses, doing a SHA1 or an MD5 of the userid, combined with microtime and some salt string is usually a safe bet.
1) To generate the unique hash, mix current-time, user-id and some salt (text). For example, if your website is mysite.com, then use this code:
$hash = md5(time() . $userid . 'mysite');
This will create a nice hash.
2) Yes, store it in database.
3) Yes, as long as you expire the hash after a fixed period of time, it will be secure.
4) No, generating one-time password usually annoys users.
精彩评论