How to create a proper reset password link and user confirmation link

Hi,

please, I would receive some suggestions on how to implement correctly the following.

For reset password, or for confirmation link, a registered user clicks the url on his email message.

The query string for reset password contains parameters like:
action=reset_password&email=...&hash=...

  • action identifies the type of request;
  • the email is the one of the registered user who requested the password reset,
  • hash is made up with the id number of the user (maybe contatenating also a fixed salt of 20 chars) passed as parameter to the PHP function password_hash.

the confirmation link is similar,
action=confirm_user&email=...&hash=...

hash is made up with email concatenated with date('mY') (maybe contatenating also a fixed salt of 20 chars), passed as parameter to password_hash.

What do you think about? Can you give me any other suggestions? Many thanks!

I have some simple questions. Consider a unique id number of a user from database. I go to proceed in one of these two alternative ways using the PHP function password_hash:

  • I use password_hash and use id number as first parameter of the function;

  • I use password_hash and use id number and a fixed salt as first parameter of the function;

If I understand, password_hash retrieve an hashed value from a given string where automatically has added a salt string. So my question is:

passing only the id number of the user selected from database, even if password_hash automatically uses a salt on it, is it easy to guess a valid hash simply passing a id number?

Does it seems more difficult to guess, if there is also a fixed salt concatenated to the id number?

mostly you break hashing functions (generating collisions) when mixing them with own logic - its not that simple. instead, be prepared to use better hash functions if available in the future, have a look at password_needs_rehash()

for your email recovery: use a random string for authentication, like uniqid(), that does not relate to your user and may invalidate within a short time period.

please, can you explain this better?

ok

If I understand, uniqid() would be not related to the id number of the user, but, instead stored in the same record of the user just registered. Is it right?

just have a look at this thread for making up your own mind

or make further research on own hash functions

and yes, just don’t relate the key based on any user information, you just need a unique value for verification.

1 Like

I don’t want to create a new thread, I think this clarification can adds some value to this topic.

About uniqid we’ve talked about before. In the official PHP site I can read that uniqid():

Gets a prefixed unique identifier based on the current time in
microseconds.

What is that “current time”?
Is the hour:minutes:seconds of the current day etc…, therefore every day is there any possibility to encounter a same value, or is it a timestamp?

thanks!

just read the manual you have linked:

Gets a prefixed unique identifier based on the current time in microseconds

and so on…

Does this post help?

1 Like

This topic was automatically closed 91 days after the last reply. New replies are no longer allowed.