Reset by mail tokens

Configuration file: self-service-password/conf/config.inc.php

How it works?

First, the user will enter his login and his mail address. A mail is sent to him.

Then, the user click on the link in the mail, an can set a new password.

PHP sessions are used to store and retrieve token on server side.

Activation

You can enable or disable this feature with $use_tokens:

$use_tokens = true;

Mail configuration

Security

You can crypt tokens, to protect the session identifier:

$crypt_tokens = true;

You should set a token lifetime, so they are deleted if unused. The value is in seconds:

$token_lifetime = "3600";
Token deletion is managed by PHP session garbage collector.

Log

By default, generated URLs are logged in the default Apache error log. This behavior can be changed, to log in a specific file:

$reset_request_log = "/var/log/self-service-password";
Apache user must have write permission on this file.