Reset by mail tokens

Configuration file: self-service-password/conf/config.inc.php

How it works?

First, the user will enter his login and his mail address. A mail is sent to him.

Then, the user click on the link in the mail, an can set a new password.

PHP sessions are used to store and retrieve token on server side.

Activation

You can enable or disable this feature with $use_tokens:

$use_tokens = true;

Mail configuration

See the mail configuration documentation.

You can also avoid to request the mail to the user, only the login will be asekd, and the mail will be read in LDAP:

$mail_address_use_ldap = true;

Security

You can crypt tokens, to protect the session identifier:

$crypt_tokens = true;

You should set a token lifetime, so they are deleted if unused. The value is in seconds:

$token_lifetime = "3600";
Token deletion is managed by PHP session garbage collector.

Log

By default, generated URLs are logged in the default Apache error log. This behavior can be changed, to log in a specific file:

$reset_request_log = "/var/log/self-service-password";
Apache user must have write permission on this file.

Reset URL

By default, reset URL is computed using server name and port, but these values can be wrong if the application is behind a reverse proxy. In this case you can set yourself the reset URL:

$reset_url = $_SERVER['HTTP_X_FORWARDED_PROTO'] . "://" . $_SERVER['HTTP_X_FORWARDED_HOST'] . $_SERVER['SCRIPT_NAME'];