Php, update password without login?

views:

126

answers:

Php, update password without login?

I have a new website. And the following is my scenario:

I will send an email to 5 people (numbers not important), inside the email, i will include a link for them to click:

www.domain.com/[email protected]&key=abc...xyz

They key are randomly generated using salt and sha1 in php. Upon click the link in their email, can I directly let them access the update profile page?? Or do I need to ask them login again?

If I directly let them access the update profile page, what are the security things I need to take care? I know the use of login, can store session, but, the thing is, they click the link from their email, and I think its quite private and safe.

The only security flaw I can think of is: the hacker can magically memorize the "key" (which is about 60++ characters), and then type in browser URL: www.domain.com/[email protected]&key=abc...xyz.

If the hackers can do that, then I am done. My users account will be hacked.

Is there anything else that hacker can hack? Just update profile page only.

Btw, if they already update their profile, should I remove the "key" in database??

I am using php and mysql

+3 A:

A password reset email should have a one-time use - store an opaque token in your database, send it in the email, and only allow it to be used once.

Paul Dixon 2009-08-14 07:35:39

Do they need to login before update their profile? Or just directly let them update profile?

bbtang 2009-08-14 07:38:16

(contuinue form previously comment...) after click the link?

bbtang 2009-08-14 07:38:56

I don't think they'd need to login. Just make sure once the token is used you delete it/mark it as dead.

Dominic Rodger 2009-08-14 07:41:16

Only keep in mind that a plain, unencrypted email is more like a postcard. The postman _could_ read it, without you ever knowing.

VolkerK 2009-08-14 07:55:03

@Volkerk: This is interesting. How to send secure email then?

bbtang 2009-08-14 08:04:27

You would have to encrypt the email with something like e.g. S/Mime, http://en.wikipedia.org/wiki/S/MIME . But tell me a company that uses such a thing and I tell you a hundred that don't ;-) It's imply not feasible in most cases (yet).

VolkerK 2009-08-14 08:18:24

I agree with Paul, but for profile updating I suggest to do it after login. You can also display and memorize the ip address of client when he resets his password.

lg 2009-08-14 07:43:21

Typical practice is to require a user to change their password when they are sent a 'Forgot Password' email, and then make them log in before they can change anything.

A recent implementation of a password email that I created worked as follows:

Create an array containing the id of the user, and the current timestamp.
Serialize and then encrypt the resulting string (using a symmetric key, which is stored on your server).
Put that encrypted string in a url parameter (my advice is to base64_encode the data twice in order to ensure you don't get bad characters in the url), and then send it to them in an email.
When someone clicks on the link in their email, first check that the parameter decrypts properly (meaning it's valid), and then deserialize the data structure. You now check that original timestamp. If too much time has passed since that point, reject the forgotten password url as too old.
If the url is valid, and recent enough, take them to a 'reset password' page.

Kazar 2009-08-14 07:47:06

They are not officially my users yet, I will randomly select 5 - 10 persons from my database to let them try my website. So, in my database they are no username and password for them, unless i randomly generate some password and use their email as username to login. Well, thanks for sharing with us of your password email. Its really great. I will use that in near future :)

bbtang 2009-08-14 07:52:36

ansaurus

tags:

views:

answers:

Php, update password without login?

related questions