[RESOLVED] Cleanup temp links/db from pw resets or pending logins...

php_noob2

Hi all,

I've created a password recovery page where if the email address is found then it will create a random string, place it in the row of the user, and email a link to that user with the string appended to the pw reset url.

Like this:
http://example/lostpw.php?uid=f7fae6d010409b02436583984bbf9878

So then I have a GET[uid] on lostpw.php and it generates a new password for the user where uid=uid in the db. Works great!

What I'm wondering is how I can set that link to expire in 3 days or something... or would it be best to have another query after the new pw generation to delete that from the uid db field. Either way I think would work but I have no idea how to have temp links die after X days or what is preferable.

I'm also going to use this scheme to send emails to complete a user signup process. I will want to clean out all those that don't complete for whatever reason automatically.

Thanks you guys!!
phpnoob (but less noob all the time) 😃

Kudose

Well, usually obfuscation isn't the way to go, but since you've already chosen that route by exposing the user ID numbers in the URL to generate new passwords, I'll go with it.

You could use a unix timestamp in the URL, which won't look like a normal date to the normal computer user, and check to make sure the date in the timestamp hasn't passed or isn't past 3 days old.

Kudose

Also, I recommend all novice users to check out these basic security posts.

http://shiflett.org/articles/sql-injection
http://shiflett.org/articles/foiling-cross-site-attacks
http://shiflett.org/articles/session-fixation

php_noob2

Thanks for the reply...

Actually, it is not the user id, it is a unique id that is the generated hash and put in the user's row to associate the GET. They click the link in their email, go to the page where GET takes the uid and finds it in the db, then they can create a new pw. I just don't want that link hanging out. I suppose I could just have a cron job every few days to empty the table...

All of the tutorials I've seen on creating a unique link to email the user for registration completion use a similar scheme. As for obfuscation, I think it is only coincidence... I know of no way of creating a 32 character totally random key otherwise. If there is a better way to go about it I'd love to scrap what I did and go that way... that's why I'm here right? 😃

Thanks

Kudose

I would create a table that maps the user ID and holds the expire date. When you access the page with the hash, join it to the users table after verifying the date hasn't past.

php_noob2

Ahh ok, that is a good scheme... thanks I'll give that a try.