PHP how to make password recovery
Learn how to create a password reset system in PHP, with an example to help you get started.
Password Recovery with PHP
Password recovery is an important and necessary feature for any website. It allows users to reset their passwords if they've forgotten them and are unable to access their accounts. With PHP, implementing a secure and effective password recovery process is relatively straightforward.
The most common approach for password recovery is to send a reset link to the user's email address. This link will contain a unique, one-time-use token that will allow the user to reset their password. This token should contain enough entropy to make it difficult to guess, and it should also expire after a certain amount of time. Generating a secure token can be done easily in PHP using the openssl_random_pseudo_bytes
function:
$token = bin2hex(openssl_random_pseudo_bytes(32));
Once the token is generated, it must be associated with the user's account in the database. This can be done with an UPDATE query:
$stmt = $db->prepare("UPDATE users SET reset_token = ? WHERE id = ?");
$stmt->bind_param("si", $token, $user_id);
$stmt->execute();
The reset token should also include an expiration timestamp to ensure that it can't be used indefinitely. This can be stored as a separate column in the database, or it can be encoded into the token itself. In this example, we'll encode the expiration timestamp into the token by using a hash_hmac:
$expiration = time() + (60 * 60); // 1 hour
$data = $token . $expiration;
$hmac = hash_hmac("sha256", $data, $secret_key);
$token = $data . ":" . $hmac;
Once the reset token is generated and stored, the next step is to send it to the user. This can be done easily with the PHP mail
function:
$subject = "Password Reset Request";
$message = "You are receiving this email because you (or someone else) has requested a password reset for your account.nn";
$message .= "Please click on the following link, or paste this into your browser to complete the process:nn";
$message .= "http://example.com/reset.php?token=" . $token . "nn";
$message .= "If you did not request this, please ignore this email and your password will remain unchanged.n";
$headers = "From: [email protected]";
mail($user_email, $subject, $message, $headers);
When the user clicks on the link, the reset token will be sent to the server. The server must then verify that the token is valid and that it hasn't expired. This can be done with a SELECT query to the database:
$stmt = $db->prepare("SELECT id FROM users WHERE reset_token = ? AND reset_expires > ?");
$stmt->bind_param("si", $token, time());
$stmt->execute();
$user_id = $stmt->fetch();
If the token is valid and unexpired, the user can then be allowed to reset their password. The new password should be securely stored in the database using a cryptographic hash function, such as password_hash
:
$password_hash = password_hash($password, PASSWORD_DEFAULT);
$stmt = $db->prepare("UPDATE users SET password = ? WHERE id = ?");
$stmt->bind_param("si", $password_hash, $user_id);
$stmt->execute();
Once the new password is stored, the reset token should be cleared to prevent it from being used again. This can be done with an UPDATE query:
$stmt = $db->prepare("UPDATE users SET reset_token = NULL, reset_expires = NULL WHERE id = ?");
$stmt->bind_param("i", $user_id);
$stmt->execute();
Finally, the user should be redirected to a page that informs them that their password has been successfully reset. It's also a good idea to provide a link back to the login page so that they can easily log in with their new password.
With the help of PHP, implementing a secure and effective password recovery process is relatively straightforward. By following the steps outlined above, you can ensure that your users are able to reset their passwords quickly and securely.