2015-09-17 4:44 GMT-05:00 Andrew Solomon <andrew@geekuni.com>:

Hi Richard,

[Without knowing the full state diagram of the site you're setting up I'm not sure I'm really answering your question, however...]

What I can say is that when you send someone an email with a link to click, the corresponding GET route handler should *not* be assuming there's a session for that user since the web server's session cache may have been cleared before they respond to the email.

If you want the token attached to the user so that when they click on the link you know who's visiting, you should store the token in your database against the user's account.

Does that answer your question?

Andrew

Hi Andrew,

So I end up with something like this?

get '/reset/:token' => sub {

    return template 'passreset' => {

    my $input_hash {

    token => params->{token}

    }

    } # end of return

    # compare against stored tokens
    my ($matched_user_id) = User->lookup_tokens($input_hash->{token});

    if ($user_id < 1) { # does not match

         halt("Unauthorized");

    }

     # token matches that of user no 349.

    session mathced_user_id => $matched_user_id;

};

post '/reset/:token' => sub {

    my $matched_userid;

    if (! (defined session 'matched_user_id')) {

# not supposed to be here

redirect "/";

} else {

$matched_userid = session 'matched_user_id';
}

   my $input_hash = {

       Psw1 => param('password1'),
       Psw2 => param('password2'),

   };

   # make sure passwords match eachother

   # update password for user $matched_userid;


};