Stephan van Hulst wrote:Hi Marco
This looks pretty good. I recommend that you generate a random token when a user clicks the forgot password link. Store the token in your database together with an expiration date. The reset link in the e-mail should contain the token. The user can only reset their password if the token matches the one in the database, and when it hasn't expired yet. After the user successfully resets their password, you should remove the token from the database, so that the reset link can't be used a second time.
Thanks Stephan,
got it working as expected.
Still need to implement token deletion from the db...I was wondering if it's a good practice even if I set a very short expiration time for its usage.
Anyhow, I learned some new things developing this functionality and I'm happy to have done it.
Cheers