I know my question is just a general question about what I should do, but it pertains to PHP and security. My question is:
When I make a password recovery system, should I be allowing the user to reset their password without being logged in? Should I generate a random password for them to use (this would include random symbols, letters, and numbers)?
What I mean in the first question is; should I be letting them reset their password being a guest? I know this is a typical technique people have been using, but is it really safe?
There are actually more steps that I am doing to ensure this safely. However, the great “History” option in browsers might actually bypass it all.
So this is how my plan goes.
Have a public account recovery. If a user is logged in, they get redirected back to the home page automatically. When they’re logged off and are using the website as a guest. They are given 1 text field and a submit button. They submit the form and it triggers a Jquery event; prompting a confirmation message first. When they hit the “yes” link, it will email them a confirmation email to ensure that they are truly that person. During this process, it also inserts a record of the email and a random generated key a long with the time into a table called password_reset. In the email, there will be a link provided. When the user clicks on the link, it’ll log the user back in if they aren’t already by grabbing their account information and setting the session so that they can be logged in. Then it’ll prompt them a page with 2 text fields, they are just going to be the new password and the new password confirmation to make sure that the password is typed in right.
The way how I will be doing this for the link is, it’s going to be taking the email and random generated key from the table password_reset and comparing it with them to the ones in the URL. If they all match, they are most likely the legit user. If they aren’t, it probably is a guessed email/key or an expired key and the user will be redirected back to the home page.
So if both email and key match, they will be able to reset their password. Now, once they submit their new password, it’ll delete their entry in the password_reset table. So this means if they want to try and bypass this whole process and use the all mighty “History” feature in the browser, it’ll just redirect them back to the home page. This means if they are either logged in or logged out. It will keep redirecting them back until the properly reset their account.
In theory, it is also suppose to stop people from random guessing and resetting people’s passwords. What I mean by this is random guessing people’s emails and resetting their passwords just with a form.
EDIT: I should also mention that while the user is logged in, they will be redirected to this password reset page every time they try to go to other links within the website. It will ask them to pick a password before continuing.
The only way out of this method is if the records are deleted from the password_reset table. And the only way to do this is by submitting a password. Which will then send another email to the user telling them that their password has been changed.
What are your thoughts about this type of method?