Jump to content
php.lv forumi

"Forgot password?" un drošība


ArnisR

Recommended Posts

A uz kurieni tad es tevi aizsūtiju??

 

  1.     When user asks to reset their password, make them enter their email address
  2.     Don't indicate if that email address was valid or not (just tell them that an email was dispatched). This is open for debate as it lowers usability (i.e. I have no idea which email I registered with) but it offers less information to people trying to gather information on which emails are actually registered on your site.
  3.     Generate a token (maybe hash a timestamp with a salt) and store it into the database in the user's record.
  4.     Send an email to the user along with a link to your http*s* reset page (token and email address in the url).
  5.     Use the token and email address to validate the user.
  6.     Let them choose a new password, replacing the old one.
  7.     Additionally, it's a good idea to expire those tokens after a certain time frame, usually 24 hours.
  8.     Optionally, record how many "forgot" attempts have happened, and perhaps implement more complex functionality if people are requesting a ton of emails.
  9.     Optionally, record (in a separate table) the IP address of the individual requesting the reset. Increment a count from that IP. If it ever reaches more than, say, 10... Ignore their future requests.
Link to comment
Share on other sites

  • 4 months later...

Don't indicate if that email address was valid or not (just tell them that an email was dispatched). This is open for debate as it lowers usability (i.e. I have no idea which email I registered with) but it offers less information to people trying to gather information on which emails are actually registered on your site.

Useless bullshit tajos gadījumos, kad reģistrācijā prasa e-pastu un tad parāda, ka tāds jau ir aizņemts.
Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

Loading...
×
×
  • Create New...