1. 2

    One I would like to add is to create cryptographically secure random number as a reset token. Make sure you have something that can’t be guessed by an attacker. So let me explicitly state:

    • Don’t create a hash from a timestamp
    • Don’t create a hash related to user input (like an id or email of the user)
    1. 2

      I use strace -p <PID> for debugging a web server on a Linux machine. Especially for operations that explicitly involve the file system and see which files are being read.