'Forgot Password' throttling

I have a 'forgot password' system set up that sends an email with a reset link to the user. M question is: Ho开发者_开发技巧w can I prevent abuse of this system? How can I make sure that people don't use this to spam peoples inboxes but still have it usable for the people that need it?

Ask for the registered email address rather than the username? It is much less likely to be known by a malicious user.

Alternately, have a TimeOfLastReset field in your users table, and update this whenever you send an email. If CurrentTime-TimeOfLastReset is too small, then don't send.

When a recovery e-mail is sent, record the time at which it happened. If there are any further/too many recovery requests within a preset time interval (15 minutes? 6 hours? a day?), print a message and don't send the e-mail.

1) you have to know your email address (not just the username) 2) you can reset your password only once in a timespan 3) to reset doesnt work immediately, you have to click a link in the mail

Don't think it really has the potential of being abused by spammers.

For a spammer an automated message (with fixed content) sent to the user is useless.

However what you can do is add the session id to a hidden field and check it on submit. Or add a hidden (disply: none) field with name="message" and a empty value to the form. And check if it still is empty on form submit.

Let the user both fill in their username AND e-mailaddress and verify it.

if you used email as a login username, it shouldn't be a big problem since not everyone would know their email, and the fact that in order for them to be able to get a reset, their email must match in the database. Therefore it would only be sent and reset if someone entered a valid email.