I am designing & developing “Reset Password” form, where user provides username/email address so that application will send a link in a email for the user to click and type a new password. My interest is all about that link, How should i go ahead doing these jobs( I am not looking for answers that will be based on opinion but rather industry practices, steps that worked for your applications).
-
Make sure link is not bookmark enabled(Don’t allow him resetting the password with the same link)
-
If the links also contains expiry information, What should happen if he clicks expired link
you can also help me by providing other problems i may face with current plan of execution.
I have just implemented something similar.
User clicks “lost password” and enters email address.
On submit, generate a reset code so the main password is unaffected. (should be salt hashed too). Set a timeout for using the reset code.
User visits change password form. Enters email, reset code, new password and confirm password. On success, clear reset code and set new password, redirect to the login page.
I decided to make the reset code as part of the url as to make it easier for the users. As for bookmarking, well, you can’t protect all users like that. If they want to bookmark that page, let them. The above measures should stop them submitting anything out of line.