How can I let the browser know the username when user updates his password?

0
votes

I have a member login system (symfony/php website). When the member logs in, the browser asks the user (as most browsers do nowadays), whether the username and password should be remembered. So far so good.

When the user needs to set a new password by the "forgot password"-link, he will receive a link via his email address. When the link is clicked, he gets a form with two inputs (newPassword and newPassword2) where he can decide on a new password.

Since there is no username-input on this form, the browser cannot know, to which username he should save this password.

How can I make the browser know what the correct username is? I have all data available, but I don't know how to present it to the browser in a correct way. There should be no additional fields visible to the user.

I tried

<input type="hidden" name="username" value="[email protected]"/>

but at least Google Chrome doesn't seem to read that value for its password manager.

1
symfonyloginpasswords
Try to check stackoverflow.com/questions/2382329/…πter

1 Answers

1
votes

No need to send the username to the browser (it's dangerous, I will explain further). When the "forgot password" link is clicked, generate a unique key and store it in a special field of the user table in database (i'll call it "validation code"). This validation code will be inserted in the link sent to the user. When the user click on this link in its email, this code is inserted in a hidden field of the "new password" form. This key will be used after submit to determine the user.

I recommend you not to insert the username directly since a malicious user could modify the HTML code to set the password of any user account.