I have a 'forgot password' system set up that sends an email with a reset link to the user. M question is: How can I prevent abuse of this system? How can I make sure that people don't use this to spam peoples inboxes but still have it usable for the people that need it?
Ask for the registered email address rather than the username? It is much less likely to be known by a malicious user.
Alternately, have a TimeOfLastReset field in your users table, and update this whenever you send an email. If CurrentTime-TimeOfLastReset is too small, then don't send.
When a recovery e-mail is sent, record the time at which it happened. If there are any further/too many recovery requests within a preset time interval (15 minutes? 6 hours? a day?), print a message and don't send the e-mail.
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With