I'm writing Baby's First Web Application. My first task has been to set up an authentication system, which I think I've done okay on. I'm new to the whole thing, though, so:
When the user reports that he's forgotten his password, I e-mail him a temporary replacement password in plain text. It's perhaps not the most secure way to handle the situation, but it's how I do it for now. I do force him to change it at the next login, and the technique I use is to carry a "must-change" field in the database, set to true for users who've been sent the e-mail.
My question: Is a separate database column the best tactic under the circumstances, or is there something better I can do?
A separate column is quite reasonable.
Operating systems typically have a "password expiration timestamp" field which doubles as a "must change at next logon" flag simply by setting the timestamp to 0 (AKA January 1, 1970). Web sites do not usually have password expiration dates, in which case a plain boolean flag suffices.
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With