Say I have a standard messageboard application like the many of them back in the 90s and 00s. An ordinary CRUD app, with registered users. A user forgets their password on the login page so they click a link which says "Forgot password?" or something like that.What are the best practices (i.e. professional or 'enterprise-grade' practices) to carry out the password-reset action for a user, and also send an email to that user?My idea for now in sending emails is to use Nodemailer. What are some professional standards / necessary steps (i.e. in keeping the server secure) I should be aware of?For the action of resetting the password, my plan is to change the user's password in the database to a randomised string of 25 characters or so and sending that randomised string in plaintext inside the email, telling them to change it as soon as they log back in. Perhaps I should make it so that when they log back in with that one-time-use password, they are taken to a page where they must set a new password. Would that be a good way to do it?Thanks in advance to any respondents.
Submitted January 15, 2019 at 02:33PM by beefyjon
No comments:
Post a Comment