CodeIgniter: lost password feature, how to implement?

A client of mine has a site running on CodeIgniter (i did not create it, and kn开发者_如何学Cow very little about CI), and they would like to add a lost password feature, and i have no idea how to approach implementing this feature using CI. I know PHP with most of my experience with it being from WordPress.

Can someone point me in the right direction as to the best practices for implementing this kind of thing?

This is how I'd implement it:

• User clicks on link, "Forgot your password"
• User types in his/her email address
• You put a random key and temporary password in the user table
• You send an email with a link to activate the password you set. The link has the random key
• User clicks on link. The link should match the random string
• You activate the password and clear the temporary password and the random string
• User logs in and changes his password to something he wants

CI is PHP so you'd just implement it as you'd do it in any other PHP projects, except you'll be doing within controllers/models/views.

A good way IMHO is this:

• If user forgot his pwd, he will require a new pwd. At this point you should store a hash and a timestamp in the db
• Send a Email to User containing a link to the reset-site with his hash stored in db as a get-param (e.g. example.de/reset-pw/[user's hash here])
• if user follows this link, site checks the elapsed time between requesting and using of this link (most sites allow a time difference of about one day)
• if everythin is valid, user can enter new pw

You surly can use other systems like a secret question etc., but I prefer the email model because of the maximized security ( question could be answerded by others, too while you'd need to get acces to users emails here)

CodeIgniter - is a regular php framework that follows MVC pattern.

It doesn't have any built-in auth library.

You would have to use some third party library. One of the best ones is Ion-auth. https://github.com/benedmunds/CodeIgniter-Ion-Auth

Howewer - if it's an existing site where people can register - chances are that some auth library is already implemented. I would look under system/application/libraries (or sometimes /application/libraries) folder to see what libraries are over there and go from there.