Hello, tell me how to implement this, the user forgot the password he needs to recover it, how to do it better?

  • My option: recover.php

a field for the e-mail of the user who forgot the pass, if he entered his soap, then a letter with a login and password should be sent to his mail. Everything is good, but anyone who finds out the soap will also enter his soap in the field for restoration and the letter will come to him.

  • What kind of nonsense? The letter will be sent to the box that was specified in the form .... Make the password change when you press specials. Links in the body of the letter! - spoilt
  • No, you did not understand, anyone who finds out the E-mail of the user who did not want to recover the password, and some student will indulge and email will be sent to the mail. - Dimcheg
  • one
    Stored passwords need to be encrypted with md5 or something else. As @KoVadim said, the password should be reset, not sent. - cadmy
  • Well, let the letters come. The password should not be reset. - KoVadim
  • Each time you try to reset the password for one account, write to the session counter +1. The life of the session day. If there were more than a certain number of attempts to refuse to reset for a while. - terantul

1 answer 1

No need to send a password. Need to send a link to reset your password. If the user does not click on the link within an hour (days), then it becomes invalid.

Until the user clicks the link, you do not need to reset the password.

Password reset is just a suggestion to enter a new password.