Is there a tutorial for validating a user in order to send them their password?
I found a post by Walikan regarding something I'm interested in doing. However, I don't know much about the background of the steps to do what he did.
Is there a tutorial for how to create a "forgot password" page followed by a second check to verify their identity followed by sending them an email with a new password?
Basically, I want a forgot password feature where I ask them for their userID (their email address). Once they submit their userID, I will need to check in the database to see if it exists. If it does exist, then I want to route them to a verify identity page. Once there I plan to use their userID in order to retrieve and display a "Secret question" they selected from a canned list of secret questions when creating their profile.
Once they view their secret question that they had selected when creating their profile, I'll have a form element which will prompt them for their secret answer. When they enter their secret answer and submit the form, I want to verify that the secret answer matches what they entered in their profile.
If their secret answer matches what's in the database, I'll route them to an "email sent" page which explains that an email has been sent that contains their new password along with instructions with what to do next.
If they don't answer their secret answer correctly, I want to display an error message to indicate the secret answer is incorrect. If they still can't answer their secret answer they can contact us to tell us their problems.
If the userID doesn't exist, then I'll display a page indicating we don't have a userID in our system as they entered.
I'm interested if you have a tutorial as well as what tools you offer that could be used to accomplish this. I'm using DW CS4 with PHP and MySQL.
I've viewed one of your tutorials that covers setting up the basic pages for logging in and a forgot password page, but the forgot password page doesn't go far enough since I don't want to automaticaly reset the password without the user verifying who they are based on their userID. This will stop miscreants from constantly resetting someone's password without them ever requesting it.