When a user requests a new password, they are sent an email that contains a link with a one-time use token. This token will expire after a specific time. They have to use it as soon as they get it. Once they click on the token, it will sent them to the site and show the new password page. However, if the token expires before they use it, they will be told it is invalid.
This should be the email they are sent:
Code:
Dear {1}, You have requested to reset your password on {2} because you have forgotten your password. If you did not request this, please ignore it. It will expire and become useless in 24 hours time. To reset your password, please visit the following page: {4} Your username is: {1} To edit your profile, first login with the parameters above. Then go to this page: {3}/settings/profile All the best, {2}
Leave a comment: