I have create a user login system.
In my forgot password page. I use php email to user. User will receive an email with a link
link-
[email protected]&confirm_code=uefu8878ef...
user can click this links to the access the reset_password page.
However this is using GET, which is mean anyone can check browser history to access this page and reset the password.
any suggestion?
After the link is used mark the confirmation code as used/invalid so it cannot be used again.
If you want to hide the email aswell, generate a custom token to do that. The token must be unique, and keep it linked with the email adress in your database. Delete it when it has been used (or mark it used).
Save your confirmation code in the database and make a link between it and the email address and give it a time so it will expires after the time expire and now each time this page is requested look first of all if the confirmation_code related to this email and if it is check the time of use with the time inside the database then if it is not expired mark it as authorized then process the request else delete it records at all
Then about expiry to be more secure i think that if you set the expiry date to 1 hour it will make sense . Hope this will help :)
