Password Reset process in PHP
To complete the password reset process, you’ll need a reset-password.php page to handle the token and allow the user to set a new password. Below is a sample implementation for reset-password.php:
pass_resets SQL
CREATE TABLE pass_resets(id INT AUTO_INCREMENT PRIMARY KEY,email VARCHAR(255) NOT NULL,token VARCHAR(64) NOT NULL,expires_at DATETIME NOT NULL,created_at TIMESTAMP DEFAULT CURRENT_TIMESTAMP,INDEX idx_email (email),INDEX idx_token (token)) ENGINE=InnoDB DEFAULT CHARSET=utf8mb4;
reset-password.php:
<?php
session_start();
$error = $success = null;
if ($_SERVER[‘REQUEST_METHOD’] === ‘POST’ && verifyCSRFToken($_POST[‘csrf’])) {
$token = filter_var($_POST[‘token’], FILTER_SANITIZE_STRING);
$new_password = $_POST[‘new_password’];
$confirm_password = $_POST[‘confirm_password’];
if ($new_password !== $confirm_password) {
$error = “Passwords do not match.”;
} elseif (strlen($new_password) < 8) {
$error = “Password must be at least 8 characters long.”;
} else {
$stmt = $conn->prepare(“SELECT email FROM pass_resets WHERE token = ? AND expires_at > NOW()”);
$stmt->execute([$token]);
$reset = $stmt->fetch();
if ($reset) {
$email = $reset[‘email’];
$hashed_password = password_hash($new_password, PASSWORD_DEFAULT);
// Update user password
$updateStmt = $conn->prepare(“UPDATE users SET password = ? WHERE email = ?”);
$updateStmt->execute([$hashed_password, $email]);
// Delete used token
$deleteStmt = $conn->prepare(“DELETE FROM pass_resets WHERE token = ?”);
$deleteStmt->execute([$token]);
$success = “Password updated successfully. Please log in.”;
} else {
$error = “Invalid or expired reset link.”;
}
}
}
$token = isset($_GET[‘token’]) ? filter_var($_GET[‘token’], FILTER_SANITIZE_STRING) : ‘’;
?>
<!DOCTYPE html>
<html lang=”en”>
<head>
</head>
<body>
<main class=”min-h-screen flex items-center justify-center px-4 py-8">
<div class=”card max-w-md w-full p-6">
<h2 class=”text-2xl sm:text-3xl font-semibold text-red-700 text-center mb-4">Reset Password</h2>
<?php if (isset($error)): ?>
<div class=”alert-danger”><?php echo htmlspecialchars($error); ?></div>
<?php endif; ?>
<?php if (isset($success)): ?>
<div class=”alert-success”><?php echo htmlspecialchars($success); ?></div>
<?php endif; ?>
<form method=”POST” class=”space-y-4">
<input type=”hidden” name=”csrf_token” value=”<?php echo htmlspecialchars(generateCSRFToken()); ?>”>
<input type=”hidden” name=”token” value=”<?php echo htmlspecialchars($token); ?>”>
<div class=”mb-3">
<label for=”new_password” class=”block text-gray-600 font-medium mb-1">New Password</label>
<input type=”password” id=”new_password” name=”new_password” class=”form-control” required placeholder=”Enter new password”>
</div>
<div class=”mb-3">
<label for=”confirm_password” class=”block text-gray-600 font-medium mb-1">Confirm Password</label>
<input type=”password” id=”confirm_password” name=”confirm_password” class=”form-control” required placeholder=”Confirm new password”>
</div>
<button type=”submit” class=”btn-primary w-full”>Reset Password</button>
</form>
<p class=”text-gray-600 text-sm mt-4 text-center”>
Back to <a href=”/matrimonial/login.php” class=”text-red-700 hover:underline”>Login</a>
</p>
</div>
</main>
</body>
</html>
This solution avoids the issue of sending hashed passwords, provides a secure and user-friendly reset process, and maintains all existing functionality. If you need further assistance with reset-password.php or additional features (e.g., password strength validation), let me know!
Post a Comment
0Comments