send email to user for password reset

Question

the flow is:- 1. user enters email address 2. after submit, email is sent to the user 3. Email will include a link that will take the user to a reset password page..

now how do I fetch user's ID based on the email address and encrypt it ? then what that link should be??..like..what I want is fetch User ID then encrypt it somehow so that link doesnt contain the actual ID..and that link will take the user to a page that will have textboxes to reset password..just confused how to go abt it

Also is this the secure way ? to reset password like this ??

Answer 1

There is any number of ways to go about doing this. If your major concern is security, one way could be to send a link that contains a guid parameter which you create and store on your end (in a db table, file or whatever suits you) together with the user id associated with it. When the request for password reset comes in, you check for the guid and look if there is one matching value in your db/file/whatever and proceed with the password reset. Don't forget to delete the guid from your storage to prevent multiple use of the same link.

Answer 2

I usually create a new table in the database:

PasswordresetRequest with the following fields:

• Id: Guid - Id of password reset request.
• Accountid: string - username of user
• Created: DataTime - timestamp of when password reset were created

Flow is as follows:

1. User request password reset at web site.
2. A new record is created in the PasswordresetRequest table.
3. An email with a link to the password reset page with the password request id as request parameter is sent to the user.
4. User click on link in email which send him to password reset page.
5. Password request if fetched from database from request parameter. If request could be found or and request is not older than e.g. 12 hours a form is presented to user where he can enter a new password.

This is pretty simple to implement and is secure enough for most sites.