I have a resetpwd.php page that is shown when a user’s password is reset in the database. However, this page can be accessed by users whose password is not reset by manually changing the URL to “/resetpwd.php”. How can I prevent this?
Share
Sign Up to our social questions and Answers Engine to ask questions, answer people’s questions, and connect with other people.
Login to our social questions & Answers Engine to ask questions answer people’s questions & connect with other people.
Lost your password? Please enter your email address. You will receive a link and will create a new password via email.
Please briefly explain why you feel this question should be reported.
Please briefly explain why you feel this answer should be reported.
Please briefly explain why you feel this user should be reported.
I have a resetpwd.php page that is shown when a user’s password is reset in the database. However, this page can be accessed by users whose password is not reset by manually changing the URL to “/resetpwd.php”. How can I prevent this?
It’s not really possible to prevent changing the URL, because the HTTP server does not really care if the URL was clicked on a page that you provided to the user, or typed in the browser’s location bar.
Instead, add some code to
resetpwd.phpto check if the user accessing it is allowed to do so, i.e. if his password is reset in the database. If not, justexitthe script or redirect the user to a different page.