Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

  • Congratulations Mike Lewis on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

Reset Hashed Password

Status
Not open for further replies.

whatsthehampton

Programmer
Sep 13, 2005
121
CA
Hi all,

Passwords are hashed - on forgotten - users are asked to reset, they then get a link to the reset page with their UserID in the QueryString by email.

This works OK and they can reset their passwords but I would like to add another layer of protection to stop this link being reused.

I am thinking of appending another QueryString Value, one that is inserted into the database and after being used is changed so that it cannot be reused.

Just wondered what the best practices are here please?

Cheers,

jeff



 
put the password hash in the query string?
The hash will change once they have changed their password...

/Daddy

-----------------------------------------------------
What You See Is What You Get
Never underestimate tha powah of tha google!
 
Hi whosrdaddy!

Nice idea - Thanks!

I had to do a little tweak as the password hashes end in the '=' sign which caused the query string to baulk.
So I just matched on the first 10 characters of the QS and the Password hash; all good.

Great.

Cheers,

Jon

 
encode the hashed pwd so it's html/querystring safe this will avoid the equals sign as part of the value and ensure the urls are unique.

Jason Meckley
Programmer

faq855-7190
faq732-7259
 
Status
Not open for further replies.

Part and Inventory Search

Sponsor

Back
Top