Possible Duplicate:
What is the best “forgot my password” method?
After reading about different forgotten password request techniques, I have decided to go with sending a user a link by email where they can go to change their password. My question is what is the best way to do this? Here's my current method:
- Ask the user for their email
- Send them a link to a newpassword.php page with a randomly-generated long alphanumeric code as a parameter.
- hashing that code and storing it in a mysql table with the email address and timestamp
- when the user goes to the link, they're asked for their email again.
- search the table for that email. if the timestamp is over 24 hours, it's deleted and the user has to request another link.
- check that the code matches. if so, let user reset password.
- change the password in the users table and send another email to confirm it has been changed.
I'm new to website security, but I haven't found many examples of algorithms for having a user reset a forgotten password (except for simply creating a new one and sending it to them, which seems rather weak to me). Are there any security flaws in my approach? Anyone know any good guides I can look into? Thanks in advance!