Reset lost password through activation key
|Read the part I about online membership script|
If the member forgot ( or lost ) the login password then it is not possible to retrieve the lost password as it is encrypted and stored in a table. As you have seen in basic login script the password is posted to email address used by the member at the time of signup , here we can't do that as the password can't be collected back.
We can reset the password to a new password in this case. Here we will generate one random activation key. This activation key generated by using our random generator and then encrypted. This encrypted value is stored in a different table with userid and time of generation or the key. We will also keep one status filed to check if the key is used or not to reset the password. We will set a time frame of 24 hours for the activation key to be used. So we have stored the present time of posting of activation key. You can see the structure of the activation key table to know how data is stored.
Once a member post a request for loss of password then we will generate this activation key , store it in a table and pass the activation key along with the userid through a link to the email address given by the member.
From the email address once the member click the link ( or copy paste in browser ) the script collects activation key and userid , then matches these two against the stored data in the table. While matching it also checks that the data within 24 hours and status equal to pending only are checked.
SELECT userid FROM plus_key WHERE pkey='$ak' and userid='$userid' and time > '$tm' and status='pending'
If the record is found ( valid request ) then we will display a form asking the user to enter the new password.
Here in this form we will use hidden tags to carry userid and activation key to next page, as we have to use them again.
Once the new password is submitted by the user, the activation key is again checked along with the userid. ( this is to prevent any injection attack ) , here if both are matching then the new password is checked for validation. If password is ok then new password is updated against the userid. Same time the activation key record status is changed to done to prevent re-use of activation key. Here this record can be deleted also if you don't want to keep a record of password changes.
Download the ZIP file for online membership management script with encrypted password