On Jun 28, 1:12 am, Luke Plant <[EMAIL PROTECTED]> wrote: > > [EMAIL PROTECTED] said the following: > > I'd suggest making the code to change the password a one-use-only > > item though, so that even if someone did sniff the code, it'd be > > useless after that. > > The problem with this is it requires state on the server, which means > extra database models, and on top of that those tables will need cron > jobs to clear them out or something.
Here's the way I usually solve this problem: send out a link that looks like this: https://example.com/reset/1214612777-34-7127f83ebf8ce7ed22bdc50a50572a30 There are three components to this link: the timestamp that the link was sent out, the user's ID and an md5 hash of (timestamp + user_id + SECRET_KEY). The timestamp is used to enforce a policy that says you must follow the link within 24 hours of it being sent out. The md5 hash guards against tampering. When the user clicks the link, they are taken to a one-time screen that asks them to enter and confirm a brand new password. With the above scheme you don't have to store state on the server and you don't have to generate a random password for the user. For added bonus points, instead of sending the timestamp as a full base 10 integer use hexadecimal and the number of days since the epoch - that allows you to represent the time in just a few characters which can mean your entire reset URL fits within the 72 character line limit imposed by bad e-mail clients such as Outlook (which can't handle URLs that wrap). You can try this scheme out for yourself by going through the lost password recovery process on djangopeople.net: http://djangopeople.net/lost/ I've got code for this lying round which I'd be happy to donate if people agree this is the right approach. Cheers, Simon --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "Django developers" group. To post to this group, send email to [email protected] To unsubscribe from this group, send email to [EMAIL PROTECTED] For more options, visit this group at http://groups.google.com/group/django-developers?hl=en -~----------~----~----~----~------~----~------~--~---
