Send email to user for password reset_问答_开发者

开发者 https://www.devze.com 2023-01-17 15:35 出处：网络

The flow is: user enters email address after submit, an email is sent to the user The email will include a link that will take the user to a reset password page.

相关专题：asp.net

The flow is:

user enters email address
after submit, an email is sent to the user
The email will include a link that will take the user to a reset password page.

Now, how do I fetch user's ID based on the email address and encrypt it? Then what should link be? Like, what I want is fetch the User ID then encrypt 开发者_开发技巧it somehow so that the link doesn't contain the actual ID and that link will take the user to a page that will have textboxes to reset the password. I am just confused how to go about it.

Also is this the secure way? To reset a password like this?

I usually create a new table in the database:

PasswordresetRequest with the following fields:

Id: Guid - Id of password reset request.
Accountid: string - username of user
Created: DataTime - timestamp of when password reset were created

Flow is as follows:

User request password reset at web site.
A new record is created in the PasswordresetRequest table.
An email with a link to the password reset page with the password request id as request parameter is sent to the user.
User click on link in email which send him to password reset page.
Password request if fetched from database from request parameter. If request could be found or and request is not older than e.g. 12 hours a form is presented to user where he can enter a new password.

This is pretty simple to implement and is secure enough for most sites.

There is any number of ways to go about doing this. If your major concern is security, one way could be to send a link that contains a guid parameter which you create and store on your end (in a db table, file or whatever suits you) together with the user id associated with it. When the request for password reset comes in, you check for the guid and look if there is one matching value in your db/file/whatever and proceed with the password reset. Don't forget to delete the guid from your storage to prevent multiple use of the same link.

There is a railscast on exactly this subject: http://railscasts.com/episodes/274-remember-me-reset-password?view=asciicast