I’m trying to implement a password forgot page in my website. I just would like to know if my idea is correct. User enter his email address, i save on a database his IP, timestamp, and an id for a “random password change” page. I create this “random password change” page with fopen();. Once user clicks on the email link i check if page should be expired ( ex 30min ) if it’s expired i redirect to user to a “sorry too late” page where i delete the “random password change page” with unlink(), if it’s not expired i let user change his password, redirect it to “password changed” page and from there i remove the “random password change” page with unlink().
Side effect of this… if user doesn’t click on the email link my random page will never be deleted.
What do you think of this ? Is that a good practice ?
UPDATE
Hi everybody ! Thanks all of you for your help ! Everything seems to run smooth now 🙂
There’s no need to have a dedicated file for each confirmation. The confirmation code can be passed as a query parameter in the URL:
The script would retrieve it via
and then the confirmation/deactivation business takes place in the database. The verifyme page would always be present, but simply not do anything unless a code is passed in.