Simple CakePHP Auth based forgot password setup. This code has been tested in both CakePHP 1.2.X and 1.3.X using CakePHP's Auth component and ACL behavior.
Follow the example MVC setup included and modify as necesary. NOTE: this code is to be used as an example only.
Request to forgot_password() prompts user to enter username. If the username is found, __generatePasswordToken() sets reset_password_token = [hash of a random string] and sets token_created_at = [current timestamp]. An email is sent to the user containing
https://example.com/users/reset_password_token/[random_hashed_string]
to complete the request within 24 hours. reset_password_token($token) validates the token, user, etc., and prompts the user to reset their password. If successful, the password is reset, the token is destroyed and the user is notified via email.
I created an hourly cron job to clean up invalid tokens. See vendors > shells > password_reset_token.php.
crontab -e 0 * * * * /path_to_cakeshell/cakeshell password_reset_token -cli /usr/bin -console /path_to_cake_console/cake/console -app /path_to_app/public_html/app >> /path_to_log_file/password_reset_token.log
CREATE TABLE users (
id int(11) unsigned NOT NULL AUTO_INCREMENT,
username varchar(50) NOT NULL DEFAULT '',
password varchar(255) NOT NULL,
first_name varchar(255) NOT NULL,
middle_name varchar(255) DEFAULT NULL,
last_name varchar(255) NOT NULL,
email varchar(100) NOT NULL DEFAULT '',
group_id int(11) unsigned NOT NULL DEFAULT '0',
active tinyint(1) NOT NULL DEFAULT '0',
created datetime NOT NULL DEFAULT '0000-00-00 00:00:00',
modified datetime NOT NULL DEFAULT '0000-00-00 00:00:00',
reset_password_token varchar(255) DEFAULT NULL,
token_created_at datetime DEFAULT NULL,
PRIMARY KEY (id),
UNIQUE KEY username (username),
UNIQUE KEY reset_password_token (reset_password_token),
KEY group_id (group_id)
) ENGINE=InnoDB DEFAULT CHARSET=utf8 ;
- Add forgot username.
- Add auto-login after password is reset.
- Ken Seal (github.com/hunzinker)
MIT