> Does anybody have any tips or links for creating a system for managing > user's passwords. I want to make it so that when a user is created, an > email is sent with a link that allows them to set their password. The > link should only work for a set amount of time. I have ideas for > implementing something, but I have a hunch tat there is some code > already out there for this. Does anybody know of any? Thanks! Use the sample code in http://php.net/md5 to create a hash, and store that in your database with a datetime value of now(). The hash will be quite unpredictable by the Bad Guys. Send that hash as part of the link in your email, and compare that hash to yours in the database. To make it even harder to bust, store the http://php.net/crypt *of* the md5 hash value, so that the actual value in the database is not what they need to send, but you can crypt what they send to see if it is the correct value. That way, if somebody gains access to read your database, the values stored there do them no good. Course, it's more likely that somebody will gain access to the recipient's email, but there is little you can do about that in today's environment. Digitally-signed and secure email is nowhere near pervasive enough. An alternative is to send them a randomly-generated password, storing only the crypt() of it, of course, and then force them to change the password on first login. Since some email clients have a tough time getting long URLs, this can be less intensive on your Support/Help resources (your time) and it's really not a lot less secure than the long URL method. -- Like Music? http://l-i-e.com/artists.htm -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
