Password reset page

I have not seen any guides to making a password reset page. Any advice here?

Hi @rokit,
How do you expect a “Password reset page” to work - what functionality would you expect there?
It’s just an update record page, where the users enters the new password.

I guess I mean “forgot password” page.

Ok, but again - what functionality do you expect from such a page? This could be the answer to your question :slight_smile:

1 Like

Normally you have a form where the user enters their email with which they registered and submit that to an server action that checks if the e-mail exists in the database and then sends an e-mail to that address with some unique generated id, like a GUID or Hash. You can store that unique id in the database with the userid.

Then the user goes to a link you’ve sent him with the id in it and on that page you check if the id is valid and which user it is attached to. If id is confirmed show a form to set a new password for that user.

1 Like

The last time I did this I sent their password to them via e-mail, I used the tutorials to encrypt and hash passwords in my new site and that is cool but it kinda ruins the whole sending a password thing

You should not store or send unencrypted passwords to emails.
As Patrick explained - you send them a link to a new password form, where the user enters it manually:

Sorry, I was typing while Patrick was being helpful. And yes I realize that I should not be sending passwords in e-mails, that’s why I was asking for a solution.

Good question! Also need infos about that. I guess it should use a Hash for handling the reset. So:

  1. Email with Link (unique Hash) will be sent to user
  2. Hash only valid for 3 days or so
  3. Website with new Password appears
  4. Password will be stored as Salted 256 in DB
1 Like

Thanks Patrick this is much better then my old method of sending the password! The next thing I should do is figure out how to generate a random GUID or Hash, this is why I thought there would be a step by step on this. I’m trying to learn how to do this right so I appreciate your help.

If we send them a generated password aren’t we still sending the password? Shouldn’t there be an expiration on that password somehow?

You don't send a generated password - that's not the idea. You generate a random GUID, which in combination with user email is used to send them a link to a "new password" page with an update record form. So, if you only have the URL and user address you cannot change the password, as you don't know the GUID generated for this record.

So the generated link will be like:

mysite.com/resetpass.php?email=email@mail.com&id=6ccd780c-baba-1026-9564-5b8c656024db

and there you use the email and id URL params to filter your database query, and update record.

I think I understand?? I will need some time to figure this out. With all the helpful info out here I’m surprised there isn’t a step by step on this, I must be the only one asking. Thanks for your help

In example I solved it hashing the id number in the user table and store it in a field of the record.

Then people will get link reset.php?id=[hash number]

Hi there

i read all the above but is there a tutorial?

regards
vitor

1 Like

I haven’t seen anything yet. I postponed this part of my project for a while hoping something shows up. There is a lot of good feedback from community here so I’m hopeful.

i need to do this as part of my current project so ill make a video. give me a week or so.

3 Likes

@Hyperbytes me too need to do this but starting in about 2-3 weeks. But I guess that tutorial is such important as login page :ok_hand:t5::blush:

Thanks Hyperbytes you make awesome videos! Very much appreciated

2 Likes

Any news about Password Resetting page? I have now a special request and about 300 existing users from an OLD Database / Webproject. As passwords are stored there with some BCRYPT 10 I need to send them each an Email to tell them to reset the passwords, as I’m using SHA256 encryption.

So my workflow would be like:

  1. Send Newsletter to all the users
  2. Attach some generic link with that like ?resetuser=jondoe@gmail.com&hash=kj234randomstuffhere
  3. User clicks on Email and gets on resetpage with that HASH which must MATCH "kj234randomstuffhere"
  4. User can create now his new Password and in MySQL DB the new SHA256 pass will be stored, instead of that bcrypt old 1999 stuff…

What you think?

1 Like

That is indeed how it should go, the hash must be something unique with which you can identify the user. For example you could create a hash of the email address and the current password hash to verify the user.

{{ user.email.sha1(user.password) }}

When the user is verified you can safely update the password field with the hash of the new password supplied by the user.

2 Likes