We take a similar approach. I guess to expand on his explination, we a have a separate field in the users table that contains a UUID, generated at the time the request for a new password is made. The link thats gets sent out doesn't include the UserID, just the UUID. Then, when the password is reset, the UUID field is set back to NULL. We also have a 24 hr window in which to get the thing reset.
Hope this helps! Ryan Brad Wood wrote: > Our system does the following: > * User clicks "forgot my password link" > * They enter their user name and e-mail address > * If that user name exists in the database WITH that e-mail address an > e-mail is sent to that e-mail address with a link that is valid for 24 > hours. > * If/when the link is clicked the password is reset and the user is > asked to change it immediately. > > The link contains the id of the user AND a random string which is stored > on the server to verify that the link came from the E-mail. > > This way people can reset their own passwords and ONLY their own, > because if they try to reset someone else's password, then they won't be > able to get the link in the E-mail. The password is only reset if the > link is clicked. > > Also there is no record of their password in their inbox and they are > required to change it anyway. > > ~Brad > > -----Original Message----- > From: Jim McAtee [mailto:[EMAIL PROTECTED] > Sent: Tuesday, April 15, 2008 5:02 PM > To: CF-Talk > Subject: Passwod recovery strategies > > I'm exploring some of the ways that we can implement password recovery. > Passwords are stored as hashed values in a database. > > Some systems I've used will immediately reset the password, some send a > message that when a link is followed resets the password. Some send the > > new password out in plaintext, some requre changing that password > immediately, some let you use the randomly generated password > indefinitely. > > Ideas, pros and cons of different approaches? > > ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~| Adobe® ColdFusion® 8 software 8 is the most important and dramatic release to date Get the Free Trial http://ad.doubleclick.net/clk;192386516;25150098;k Archive: http://www.houseoffusion.com/groups/CF-Talk/message.cfm/messageid:303511 Subscription: http://www.houseoffusion.com/groups/CF-Talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=11502.10531.4
