Reset Hashed Password

[whatsthehampton]

Hi all,

Passwords are hashed - on forgotten - users are asked to reset, they then get a link to the reset page with their UserID in the QueryString by email.

This works OK and they can reset their passwords but I would like to add another layer of protection to stop this link being reused.

I am thinking of appending another QueryString Value, one that is inserted into the database and after being used is changed so that it cannot be reused.

Just wondered what the best practices are here please?

Cheers,

jeff

http://www.fluxii.com/

 

[whosrdaddy]

put the password hash in the query string?
The hash will change once they have changed their password...

/Daddy

-----------------------------------------------------
What You See Is What You Get
Never underestimate tha powah of tha google!

 

[whatsthehampton]

Hi whosrdaddy!

Nice idea - Thanks!

I had to do a little tweak as the password hashes end in the '=' sign which caused the query string to baulk.
So I just matched on the first 10 characters of the QS and the Password hash; all good.

Great.

Cheers,

Jon

http://www.fluxii.com/

 

[jmeckley]

encode the hashed pwd so it's html/querystring safe this will avoid the equals sign as part of the value and ensure the urls are unique.

Jason Meckley
Programmer

faq855-7190
faq732-7259

 

[whatsthehampton]

Thank you Jason.

Cheers,
Jeff

http://www.fluxii.com/