Say for some reason you needed to verify someone's email address, and it was time-sensitive (e.g. for password reset, rather than easily-guessed "Security Questions," you're offloading the responsibility of identity verification to their email provider). By time sensitive, I mean you generate the link and then it is inactive after some period, so that someone couldn't for example go through the person's browser history and reset their password.
This is a pretty common scenario, but not something I found a lot of resources on. Oddly, most results I found for searches with respect to password reset, email verification and PHP were specific to WordPress. o_0
The solution I ended up using was md5("$salt $email $time") and then emailing a link containing the email address, time and hash.
I'm kind of curious what the "usual" way of doing this is. Are there any particular vulnerabilities to my method I might be missing? The biggest thing I can see is that if the salt were somehow discovered, someone could generate hashes themself to change a password without even emailing the user.
This is a pretty common scenario, but not something I found a lot of resources on. Oddly, most results I found for searches with respect to password reset, email verification and PHP were specific to WordPress. o_0
The solution I ended up using was md5("$salt $email $time") and then emailing a link containing the email address, time and hash.
I'm kind of curious what the "usual" way of doing this is. Are there any particular vulnerabilities to my method I might be missing? The biggest thing I can see is that if the salt were somehow discovered, someone could generate hashes themself to change a password without even emailing the user.
