Password resets using HMAC instead of database IDs
Is there a way to generate a cryptographic value that authenticates a request
without any stored ID in the database? Yes!
Details:
- https://security.stackexchange.com/questions/81833/secure-forgot-password-page-is-a-server-stateless-implementation-viable
- https://security.stackexchange.com/questions/101224/hmac-password-reset-link-and-replay-attacks
- https://neosmart.net/blog/using-hmac-signatures-to-avoid-database-writes/
After implementing it, double-check OWASP’s cheatsheet.