I'm developing an application, and I'm doubtful about the password recovery part.
I have a method that the user enters the email that is registered in the application when he forgets the password. Ex:
public function esqueciSenha($email)
{
self::enviaEmail($email);
...
}
This function sendsEmail , generates a password recovery token, and sends a URL to the user by email. Ex:
In the generated URL, you will have a form for the user to enter the new password. I thought about getting AJAX to take the password change token, the user id (passed in the url) and the new password, and send it to the method ChangeSenhaPorToken (via POST), which receives $ id, $ token and $ novaSenha, and will validate the token and id, and thus change the user's password. Ex:
public function alterarSenhaPorToken($id, $token, $novaSenha){
// validação do token
...
self::trocarSenha($id, $novaSenha);
...
}
My questions:
Is there a problem in passing the user's token and user id through the URL? In security matters? If there are problems, what would be the safest way to do this?