Generate temporary URL to reset password

Question

I am looking to implement a Forgot Password feature on my website. I like the option where an email containing a temporary one-time use URL that expires after some time is sent

Answer 1

The goal of sending some data|string to user email is validation of account owner. Please care about some points:

• Avoid sending important information in reset or activate link.
• It's best way to store unique string data conjunction with user account and send it as that link. but be aware if you send just one section as link to user email and just check it in page, your application may be in dangerous by brute-force or dictionary attacker. It's enough to check a list of string to find some links and change password. I know that has a little chance, but not zero.

Result: I think it's better if you

1. combine user email with string link then encrypt them (not hash because hashed value can't be reverse) and send to user email.
2. User click and your page get the encrypted value.
3. decrypt value.
4. extract user email.
5. find email in database.
6. compare string from received link with other one attached to user email in database.

Good luck.