I’m building up a membership system at the moment, taking plenty of time on each component trying to make sure everything is top notch and I’ve came to resetting the user’s password. Now the system I want is to have the user submit their email (that exists in my database), have them be sent an email with a unique reset link in it, and then once the link is clicked they’re given their new password.
NOW, I know I could quite easily create tokens in the database each time I user requests a password reset but I was wondering if anyone had another, secure method of doing this without creating a database table?
Any comments on the topic would be greatly appreciated!
It might not be what you tried to avoid, but nothing prevents you to extend your “users” table instead of creating another one, by having that unique token field and a flag whether user requested the reset or not.
However, that doesn’t defeat the point that you have a database in the game once more.
I wouldn’t try to do it without the database honestly.
On the other hand, are there any other means to reset the password - such as administrator or another super user being able to reset it?
If there’s something I dislike - it’s the resetting passwords at variety of websites / forums. You request the reset, however you forgot what email you used to register.
You finally remember WHAT email it was, but you have no idea what the login is to access it.
After you finally got to your damn inbox, hey - there’s no email! Spam filters FTW!
Or it could be that the mail server where the forementioned site/forum was had a hiccup and damn, it’s not sending any emails!
The punch line is that it takes friggin’ time, and it’s so much easier having an alternative option - or if it’s a bespoke internal application built with web technologies - who says username and password have to be used to authenticate users with the application?
I could go on, but I’ll finish with saying that I’d stick with the idea of token > email > reset password idea.
