forgot-password

I need to implement a forgot password to a login page. First I verify email then generate a string, after that send a link with key and email to the particular mail. I know how to reset but what happened receive the link to that mail $message= "<a href='".base_url()."user/reset_pass/$key/$email'>"; This is the link I provided. First you need to check if session exist when user click on forgot password. if No,then set validation method for email which you will be taking from user. like this : $this->form_validation->set_rules('email', 'Email', 'required|valid_email|callback_email_exists'); In

How do I generate a password reset token in node.js that can be used in a url? I just need the method for generating the token: user.reset_password_token = ???; user.reset_password_expire = expire_date; Edit -- here's the solution: user.reset_password_token = require('crypto').randomBytes(32).toString('hex'); I'm using this to generate my auth-token: require('crypto').randomBytes(32, function(ex, buf) { var token = buf.toString('hex'); }); Crypto Node.js v0.8.9 Manual & Documentation function customToken() { var buffreValue = new Buffer(64); for (var i = 0; i < buffreValue.length; i++) {

I don't want to have the security question and answer feature that ASP.Net Membership Provider gives, but I DO want to enable a lost/forgotten password page. This page would be where a user would enter his/her email address and an email would be sent to that address if the user was registered for them to reset their password via a link sent to that registered email address I've created the custom table to track such requests, the random key assigned to the request as well as an expiry date on the request. However in writing the code to actually reset the password, I realised that there doesn't

Would there be any big issues if they never expire? Somebody forgot his password and requests to reset his password, an email with the password reset link is sent to him. He then suddenly remembers his password and so he simply ignores the password reset email. But after a few days, he forgot again. Since he already has a password reset email in his mailbox, he simply clicks on that link to go back to the website to reset his password. This seems ok, so why should we make account activation/password reset links expire after some time? What if their email account was compromised. The attacker