I am currently sending a reset password link with the "account id" variable and a hash (bcrypt).
something.com/?account_id="666"&token=$2a$10$191koq.KgsCdM6dsiD6MZ.0mZLQ8YhjGsdxstBGmyIjE.r1SlhfxK
and noticed that sending a bcrypt in a URL doesn't work (some chars aren't allowed in URLs and replaced by % [$ sign] and others).
And from the other hand, I decided not to pass visible data such as the account id itself, but maybe an encrypted one.
From what I know, MD5 is dead. SHA1 is decrypt-able too.
-
How can I pass an "account id" + a "bcrypt" hash and be able to decrypt & identify the user on the server side that is trying to reset his/her password?
-
and just to be sure, is passing $_GET variables is ok in this case?
I came across this post: Send bcrypt hash as parameter
and not sure this is the case. Because I'll never be able to guess which "account id" is requesting to reset his/her password.
What I'm currently doing is:
On forgot password form: 1. A clicks on "forgot my password". 2. Insert "account id" and email. 3. A bycript token is set in the users table for that specific user under the column forgot_password_token and forgot_password_ts (limited to 24 hours).
On reset password form: 1. Gets variables via $_GET. 2. Validate credentials: "account id" and "token" (select them from the users table under the "account id", and search for the token there - if exist - allow reset). 3. display reset form and allow reset password.
Aucun commentaire:
Enregistrer un commentaire