After re-reading the posts, I'm questioning whether I was clear on the forgot password process I'm trying to accomplish.
So just to be sure Jason, here is how things are supposed to work:
1. The user clicks a forgot password link.
2. They are shown a forgot password page with a single form element that asks them to enter their email address.
3. I test to see if the email address exists in my client table.
4. If so, I display a "verify identity" page which shows two fields. One field is the secret question that was selected when they set up their profile. the other field is their secret answer they entered when they set up their profile.
5. The secret question field is populated with the secret question they selected when they set up their profile. This matches the email address they entered. This is not something they will change so there will only be the secret question that they had previously selected when setting up their profile.
6. The user enters their secret answer that they had previously entered when they set up their profile and clicks submit.
7. I check the client table to see if the secret answer they entered on the verify identity page matches what's in the client table for the email address that was previously checked and found to be OK.
8. If it's good, we generate a new password and email it to them. We also store an encrypted version of the password in the client table so that when they attempt to sign in, it will pass.
The reason I ask is that after re-reading the posts, it sounded like maybe you thought I'd let them pick another secret question and type in a secret answer. Perhaps I misread the posts, but just want to be sure we're on the same page.
I'm pulling the secret question from their profile so that I can prompt them for their secret answer. Technically, the secret question doesn't have to be in a form, it could be dynamic text that I display, but their secret answer will have to be in a form so they can submit their answer and I can test to see if it's OK or not.
Is this how you understood the forgot password process worked as well? I'm getting suspicious that when I said I would show two fields on the "verify password" page that it somehow indicated they could select a secret question which is not what I intended. They will see the secret question as it exists in the client table. This may be my fault for putting the secret question in a form rather than just showing it as a dynamic text element.