Thanks for the suggestions.
While I really appreciate everyone's help, I am feeling exasperated because I have spent the entire day and night working on this dumb "reset_password.php" script, and people's suggestions make me keep changing directions and I'm exhausted...
If you could help me out a little more it would be greatly appreciate! (Although since it is past 2:00a.m. here, I don't know how much longer I'll last...)
1.) So you are saying just have one Hash and one Salt field like originally?
2.) Sorry to say, but what exactly is a "token"?
3.) How do I create a "token"?
4.) Is that secure compared to me e-mailing a "Temporary password"?
5.) Can you help me figure out how to do that, please?
Here is what I have now. Everything is working with one "hitch"...
- User clicks on "(Forgot Password?)" link
- System takes User to "Reset Password" page
- User enters Email
- System find Salt for the Email
- System generates a Temporary Password
- System Hashes Temporary Password and stores in Temporary Password Field with Timestamp
- System emails Temporary Password
- User opens Email and copies Temporary Password
- User clicks on link in email to "Log In" page
- System displays 'Log In" page
- User enters Email and some Password
- System determines if Password matches either Original Password or Temporary Password
- System logs in User
- System redirects to "Change Password" page
I am having a problem here, because I prompt for...
* Current Password
* New Password
* Confirm New Password
...and I just realized that my script needs to be intelligent enough to know whether the "Current Password" is the Original Password or the Temporary Password?!
I think you way sounds much easier, and would like to try it - if it is SECURE - and if you can help a bit?!