> > 2. Give the user temporary (one-time use) password and send them that. > Keep track that the password is temporary and make them reset their > password immediately after logging in. (This is the safest way I know of > to implement password recovery). >
I would implement this slightly differently. Rather than create a temporary password, take them through the normal process and then enforce a password reset - I would create token, send them a link to a reset password page that has the token in the URL, accept a new password on that form, find a user with that token and change the password, remove the token from the user record (so it can't be reclicked from email or hit accidentally) and redirect them (to either a login page or their profile page if you automatically log them in from the token). To me that's a slightly better UX flow than giving them a temporary password, login with it (knowing their browser may suggest to save the one-time password) and then ask them to reset it. Cheers, Andy -- You received this message because you are subscribed to the Google Groups "Ruby on Rails: Talk" group. To post to this group, send email to rubyonrails-t...@googlegroups.com. To unsubscribe from this group, send email to rubyonrails-talk+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/rubyonrails-talk?hl=en.