skenow
commented
11 months ago I don't think anyone will be manually entering the key - and there is no way for a user to do that except adding it to the URL.
Hashing the key would keep from exposing actual data in the user's record, once they know the format (read the code). The key also changes the next time the user logs in, which is why I added that to the key. This was simpler than adding another field to the database for password reset request timestamp and count, where we can control how long the key lasts and how many requests can be made before another action is required.
Having a consistent subject line is what I was going for - in one message it had the site name, in the other it had the URL. Looking at the language files, there are similar constants - define('_US_YOURACCOUNT', 'Your account at %s'); define('_US_RESETPWDREQ','Reset Password Request at %s');
Change in the structure of the data in the field over time has made the old partial string common for all users. This change makes it unique and temporary, basing a portion of the key on their last login. Cleaned up the email subjects a bit, too.