In my project, if the user has forgotten their password, I force them to type their username and using Javascript and windows.locationopen a new web page with a type request GETand send their username as a variable. On this page, once you have answered the security question, you can change your password.
After a review, I realized that this action opens a big security hole, because anyone can request this same web page and send a valid user, and if they know the answer to the security question, change the user's password .
I thought of sending a kind of security "token", that only I know of, but I can't think of something that is unique and unrepeatable, apart of course from the date or time.
If I write something in the HMTL, even if it is of type hidden, when reviewing the source code you can see it, and the date or time would be very predictable, even if I modified it in some way, since the source code can be accessed in JS .
It could be that you are not thinking very well about the solution and there is another way to do it. With all these details, is there any variable that is unique and unrepeatable that I can generate with Javascript and decrypt with PHP?
Have you tried using UUID or GUID to do this type of work? I'll give you a function.
You run it running:
It will return random values like this:
Imagine generating a UUID for each user in a separate table of your database, with Javascript you place that variable as an identifier for that user somewhere in the DOM or wherever you need, then send it and try to match this UUID with the one that exists in the database, this is going to be a unique variable and very difficult for anyone to discover.
Some apps send an email where these types of UUIDs are used but as they mentioned in the comments, they can be temporary if you wish, this increases the security of your application much more than it is today.
I hope this idea is helpful.