Most password reset schemes depend on either secret questions, access to the user's email account, or both. Secret questions have fallen out of favor
Your plan will work fine and is pretty standard. You can make it a bit more user friendly by not forcing the user to enter the temporary password: You basically have to construct a password reset token (similar to your temporary password), but which could be longer and would also be able to be used to identify the user. This token gets saved in the database and is also included in the email sent to the user. The email will contain a specially constructed password reset URL (for example http://server.com/PasswordReset.fwx?token=f43klrj34lfjljfl12jlf3j894w). When the user clicks on the URL the reset script locates the user record by matching on the token and then presents a password form (with the same token stored in a hidden field).
This is basically the same concept as your idea, because it still relies on a secret string being emailed to the user. Of course security breaks down if the user's email account has been compromised, which is why it's really important to have unique strong passwords on your email accounts.
In addition to only allowing the token to be used once by deleting it after it is used, it is also recommended that you only honor it for a short period of time (5 - 60 minutes). For this you will need to add another field to hold the token creation time.
As with all password reset schemes that depend on access to the user's email account, you will need to treat email addresses just like passwords in the user setup: Users should have to enter their password when trying to update their email address.
FoxWeb Support Team
support@foxweb.com email |
Sent by Art Bergquist on 06/17/2017 10:28:58 AM:
Thanks.
I already knew that the ForgetPassword() method was not what I was looking for; hence, why I wrote the following in my post:
"I thought I'd touch base, though, to see if there's a 'Forgot Password?' feature. I haven't found that yet."
Your response confirms what I thought; viz., that we need to roll our own 'Forgot Password?' feature.
It seems to me that the easiest way to implement this feature is to do something like the following:
- have a 'Forgot Password?' button which, when pressed, does 2 things: a) populates a Temporary Password column in the Users table (the same table that houses the Username and Password columns); b) automatically e-mails the Temporary Password to the user (alternatively [i.e., less automated], someone would have to manually contact the user to let them know their temporary password)
- when the user subsequently logs in, if they have a Temporary Password in addition to a regular password, then they would immediately be prompted to enter a new (i.e., different) password; after a successful login, the Temporary Password column would be blanked out so that only the (regular) Password column would be used for comparison purposes thereafter
Thanks again.
Sent by FoxWeb Support on 06/16/2017 06:36:30 PM:
The ForgetPassword method is not what you think: The method removes a cookie from the browser to invalidate a previously selected "Remember me" option. Please refer to the documentation for additional details.
FoxWeb does not provide native password reset functionality, but you can definitely add it yourself. All the tools are available for this -- the most time consuming part will be the UI, but even that is pretty simple.
FoxWeb Support Team
support@foxweb.com email |
Sent by Art Bergquist on 06/15/2017 08:06:11 PM:
Hi,
I see that FoxWeb has a ForgetPassword() method:
Auth.ForgetPassword()
I thought I'd touch base, though, to see if there's a 'Forgot Password?' feature.
I haven't found that yet.
Thanks in adva\nce for any insights,
Art Bergquist