If you do a password reset system please remember not to reset the password before they confirm who they are.
This means instead of having them entering their login and email address and immediatly resetting their password send the account owner an e-mail with a link that will reset their password, if you have SSL make the link go over SSL that way the traffic is secure. The link should contain a unique id that was randomly generated and stored in the database, when they click the link validate the account name, email address and the unique id, if they match reset the password and remove the unique id from the list of approved id's, this prevents someone from replaying the URL and resetting the password again. Jason On Mon, 2003-02-17 at 17:48, Justin French wrote: > on 18/02/03 3:59 AM, Vernon ([EMAIL PROTECTED]) wrote: > > > I'm thinking that the MD5 function more than likely encrypts a password to > > store into a database, and when you log in using the MD5 function it will > > simply encrypt the value being passed along again the same way. Now I'm > > wondering what happens when I user has lost there password and needs to > > retrieve it, there is no way to reverse the process is there? > > No, there isn't -- md5() is NOT encryption (a 1 meg file and a 5 character > password will both have the same length md5 value). > > You would need to write a script which resets their password, and sends it > to them via email. > > If they've fogotten what password they set, then they're obviously not too > precious about it being the same password. Reset it to something random, > send it to them via email (handy for confirming their email address is still > valid), and let them login with that password, and change it to something > else if they wish. > > Justin French > > > -- > PHP General Mailing List (http://www.php.net/) > To unsubscribe, visit: http://www.php.net/unsub.php -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
