Secure "forgotten password" function
I think, changing forgotten password to 'password' for everyone is not secure.
I use such a code in my login.php:
Of course, 'PLIGG_Visual_Login_Forgot_PassReset' value must be changed in your lang file to 'Please login and change your password'Code:if($DBconf == $confirmationcode && !empty($confirmationcode)){ $new_pass = substr(md5(uniqid(rand(), true)), 0, 8); $passhash = generateHash($new_pass); $db->query('UPDATE `' . table_users . '` SET `last_reset_code` = "" WHERE `user_login` = "'.$username.'"'); $db->query('UPDATE `' . table_users . '` SET `user_pass` = "'.$passhash.'" WHERE `user_login` = "'.$username.'"'); $errorMsg = "Your password has been reset to '$new_pass'. ".$main_smarty->get_config_vars('PLIGG_Visual_Login_Forgot_PassReset'); }
Reply With Quote
