I’m writing a password reset page.
Logic:
- User requests pw
- It’s sent to their email with a unique string (that expires) appended to the /reset/
$string - Once at the page in my controller I check if the string matches one in the db, if so then I match that to the userId
- If it does, I allow them to enter their new pass
- If they POST to the same controller and mess up and enter 2 incorrect passwords, I lose the original URL with the reset string
so now I don’t know which user to update in the db
My options (that I can think of):
- Set the string and user ID in a session and look that up in the controller (and make sure to clear this out once the pass is successfully reset)
- On step 4 above, I’ll add in the user’s ID in a hidden input field in the form and POST with that to check which user it is
Your solution in option 2 (add token to a hidden input) makes sense or you could just post the form to the same URL (the one with the token in it so you don’t lose it) and structure your logic to work based on whether or not the form was posted.
The logic could look like this: