Generate temporary URL to reset password

Question

I am looking to implement a Forgot Password feature on my website. I like the option where an email containing a temporary one-time use URL that expires after some time is sent

Answer 1

I would definitely include the database in this process. Once a reset is requested, it's a good idea to indicate that the account is locked out.

For example, if you are changing your pw because you think your account may have been compromised, you definitely don't want it to remain accessible while you go about the change process.

Also, inclusion of "real" information in the reset token could be decoded if someone really wants it and has the horsepower. It would be safer to generate a random string, save it in the db in the row for that user, and then key back to it when the link is clicked.

This gives you two things:

1) There's nothing to decrypt, and therefore nothing of value can be gained from it. 2) The presence of the token in the user record indicates that reset is in progress and the account should be treated as locked out.