While working on lost password feature on a website, I have created two tables
tbl_lost
`id`(PK) | `umail` (FK) | `pcode` | `count` | `expired_on`| `asked_on` |
tbl_user
`id`(PK) | email | .....other columns...| active |
Now let me tell you my approach.
user enter email
check in
tbl_userif it exist then create
pcodeand send mail as query parameter with password reset link reset_password.php?kode=encrypted(pcode)else gives message 'given Email does not exist in your database'
Now I have assume that one user does not get email or someone(tool/man) repetitively send multiple request for the same email address.
user user enter email ask for reset password.
check in
tbl_lostif email exist
if request time < expired_on time
prompt "reset link mail already sent, Do you need again?" if user click on "OK" then we send that pcode link again
count increased by 1
if request time < expired_time and count > 10 ( as link expire date is 48 hours)
send mail "Please check spam "if request time > expired_time then generate new
pcodeand send reset link update the table and set count = 0
But This approach do not identify whether user comes first time or second time?
Should I set active false for the next 48 hours?
does above approach is right so far? Or do I think about other variations and use-case?
does database table and column are fit enough to stop malicious attack?
Or do we create any temporary table which automatically remove old after 2 days
Aucun commentaire:
Enregistrer un commentaire