Reset lost password by sending activation key by mail
Read the part I about online membership script
If the member forgot ( or lost ) the login password then it is not possible to retrieve the lost password as it is encrypted and stored in a table. Here we can't send the password to user email address as the password is encrypted and we can't retrieve the original password.
We can ask the user to reset the old password to a new password. To do this here we will generate one random activation key. This activation key generated by using our random generator and then encrypted. This encrypted value is stored in a different table plus_key with userid and time of generation or the key. We will also keep one status filed to check if the key is used or not to reset the password. We will set a time limit of 24 hours for the activation key to be used. So we have stored the present time of posting of activation key. You can see the structure of the activation key table plus_key to know how data is stored.
Step 1 ( Sending the activation key by email )
At the login window member can visit the forgot password link and enter the email address used at the time of signup. Our script will check the member table for this email address. It will also check if any the password activation key is pending within in last 24 hours for this email address and userid.
Generation of Activation Key.
Here security is the prime concern and we must check that the activation key should not be traced or tracked. We create a link with activation key and respective userid of the user and post it to the email address if above step 1 is passed.
The detail of the activation key, userid, time of post and status (as pending) is stored as a record in plus_key table while sending the email to reset the password.
Here is a sample of link posted to email address with activation key and userid in URL. The link is prepared based on the installed directory of this script.
From the email address once the member click the link ( or copy paste in browser ) the script collects activation key and userid , then matches these two against the stored data in the table. While matching it also checks that the data within 24 hours and status equal to pending only are checked. Here is the sample query.
SELECT userid FROM plus_key WHERE pkey='$ak' and userid='$userid' and time > '$tm' and status='pending'
If the record is found ( valid request ) then we will display a form asking the user to enter the new password.
Here in this form we will use hidden tags to carry userid and activation key to next page, as we have to use them again.
Once the new password is submitted by the user, the activation key is again checked along with the userid. ( this is to prevent any injection attack ) , here if both are matching ( with the record having posted key and userid pair stored in plus_key table) then the new password is checked for validation. If password is ok then new password is updated against the userid. Same time the activation key record status is changed to done to prevent re-use of activation key. Here this record can be deleted also if you don't want to keep a record of password changes.
Here we kept the duration of validity of activation key is 24 hours or 86400 seconds (60x60x60 ), it can be changed to any other duration based on the requirement.
We have used two files to send the activation key to user email address.
When the user clicks the link of the email, the browser opens the page with base URL declared keeping the installed path of the script.