Skip to content
- When your user requests a password reset, generate a token and calculate its expiry date
- Store the token and its expiry date in separate columns in your users table for that user
- Send an email to the user containing the reset link, with the token appended to its URL
- When your user follows the link, grab the token from your URL (perhaps with
$_GET['token']
)
- Verify the token against your users table
- Check that it’s not past its expiry date yet
- If it has expired, invalidate it, perhaps by clearing the fields, and allow the user to resend
- If the token is valid and usable, present your password reset form to the user
- Validate and update the password and clear the token and expiry fields