Password reset system ni common, lakini inaweza kuwa vulnerable ikiwa haijasafishwa vizuri.
Best Practices:
Generate unique, temporary tokens
Tokens should expire
Send reset link via email
Validate token before allowing password change
Hash new passwords using password_hash()
βοΈ 2. Database Structure for Password Reset
CREATE TABLE password_resets (
id INT AUTO_INCREMENT PRIMARY KEY,
user_id INT NOT NULL,
token VARCHAR(255) NOT NULL,
expires_at DATETIME NOT NULL,
used TINYINT(1) DEFAULT 0,
FOREIGN KEY (user_id) REFERENCES users(id)
);
𧩠3. Generate Reset Token (request_reset.php)
<?php
session_start();
$pdo = new PDO("mysql:host=localhost;dbname=multi_user_system;charset=utf8mb4","root","");
$pdo->setAttribute(PDO::ATTR_ERRMODE, PDO::ERRMODE_EXCEPTION);
if(isset($_POST['request_reset'])){
$email = filter_var($_POST['email'], FILTER_SANITIZE_EMAIL);
$stmt = $pdo->prepare("SELECT id FROM users WHERE email=:email");
$stmt->execute(['email'=>$email]);
$user = $stmt->fetch();
if($user){
$token = bin2hex(random_bytes(32));
$expires = date("Y-m-d H:i:s", time() + 3600); // 1 hour expiry
$stmt = $pdo->prepare("INSERT INTO password_resets (user_id, token, expires_at) VALUES (:user_id, :token, :expires_at)");
$stmt->execute([
'user_id'=>$user['id'],
'token'=>$token,
'expires_at'=>$expires
]);
$reset_link = "https://yourdomain.com/reset_password.php?token=$token";
// Send $reset_link via email to user
echo "β
Password reset link has been sent to your email.";
} else {
echo "β No account found with that email.";
}
}
?>
<form action="" method="POST">
<input type="email" name="email" placeholder="Enter your email" required><br><br>
<button type="submit" name="request_reset">Request Password Reset</button>
</form>
𧩠4. Reset Password (reset_password.php)
<?php
session_start();
$pdo = new PDO("mysql:host=localhost;dbname=multi_user_system;charset=utf8mb4","root","");
$pdo->setAttribute(PDO::ATTR_ERRMODE, PDO::ERRMODE_EXCEPTION);
if(isset($_GET['token'])){
$token = $_GET['token'];
$stmt = $pdo->prepare("SELECT * FROM password_resets WHERE token=:token AND used=0 AND expires_at>=NOW()");
$stmt->execute(['token'=>$token]);
$reset = $stmt->fetch();
if(!$reset){
die("β Invalid or expired token.");
}
}
if(isset($_POST['reset_password'])){
$new_password = $_POST['new_password'];
$hashed_password = password_hash($new_password, PASSWORD_DEFAULT);
// Update user's password
$stmt = $pdo->prepare("UPDATE users SET password=:password WHERE id=:user_id");
$stmt->execute([
'password'=>$hashed_password,
'user_id'=>$reset['user_id']
]);
// Mark token as used
$stmt = $pdo->prepare("UPDATE password_resets SET used=1 WHERE id=:id");
$stmt->execute(['id'=>$reset['id']]);
echo "β
Password has been reset successfully!";
}
?>
<form action="" method="POST">
<input type="password" name="new_password" placeholder="Enter new password" required><br><br>
<button type="submit" name="reset_password">Reset Password</button>
</form>
π 5. Best Practices
Tokens should be unique & time-limited β prevent reuse.
Use HTTPS β protect reset links in transit.
Hash new passwords β never store plain text.
Mark token as used after reset β prevent replay attacks.
Validate input & sanitize data β avoid XSS or SQL injection.
Optionally, notify users via email after password reset.
β
6. Hitimisho
Secure password reset combines token generation, expiration, and hashed password update.
Protects users against unauthorized access and attacks.
Can be extended with login attempt limiter, CSRF tokens, na secure sessions.
π Tembelea:
π https://www.faulink.com/
Kwa mafunzo zaidi ya PHP, secure authentication, na password reset systems.