Aug 14, 2009
I have a new website. And the following is my scenario:
View 3 Replies
I will send an email to 5 people (numbers not important), inside the email, i will include a link for them to click:
They key are randomly generated using salt and sha1 in php. Upon click the link in their email, can I directly let them access the update profile page?? Or do I need to ask them login again? If I directly let them access the update profile page, what are the security things I need to take care? I know the use of login, can store session, but, the thing is, they click the link from their email, and I think its quite private and safe.
The only security flaw I can think of is: the hacker can magically memorize the "key" (which is about 60++ characters), and then type in browser URL: [url]....
If the hackers can do that, then I am done. My users account will be hacked.
Is there anything else that hacker can hack? Just update profile page only.
Btw, if they already update their profile, should I remove the "key" in database??
I am using php and mysql