|
|
Posted by Chung Leong on 10/22/73 11:50
Colin McKinnon wrote:
> A better method is:
>
> In the database have columns for an old and new password for each customer.
>
> When the customer logs in (presenting userpass), if the new password is
> blank, compare userpass with old password to determine access.
> If the new password is not blank, compare new password with userpass - if
> they match, set old password = new password, and new password = null.
Another common way to do this is to create separate table with two
columns, one holding a random string and the other the user name. A new
record is inserted when the a request for password reset is made. The
random string is then placed into a URL and send to the user's e-mail
address. When he clicks on it, he ends up at a page where he can enter
a new password. The script will use the random string to look-up the
account.
Navigation:
[Reply to this message]
|