Check out my design: password reset tool for website

When someone has lost a password, they click on the link of a lost or forgotten password. They will need to enter their email address and then answer their secret question. If the secret question is correct, an email will be sent to them by the link, which expires in 24 hours.

As the email is sent, the entry is entered into the database table containing this information: - the email of the person who needs to reset the password - the password expiration time - the hour by which the vacation request was sent with the password.

The sent link will lead the user to a form that allows them to enter a new password. In this form, they will need to enter their email address and X2 password.

When they click the "Send" button, a check is done against db to make sure that the letter is valid (that the password is reset) and has not expired (by comparing the two dates to see if the expiration time has passed, which is 24 hours)

If the letter is valid and has not expired, and both passwords match and correspond to the minimum request, then a new password is applied.

If successful, a confirmation message appears.

Q1. Is this a good password recovery model? Q2. How can I make sure that the link that is sent to the user’s address is unique? That no one will get the same link? So that no one can simply go to the reset password page and try different emails, rather, each account that needs to be reset has its own unique URL that works only for this account.

Regarding Q2:

I thought that when the user asks for his reset password, a random unique identifier is generated and stored in the same record, which expires after 24 hours. This random unique id column could be called "rid"

The link in the email that will be sent to the user ends: rid = xxxxxxxxxxxxx

"" , , "rid" db, . , reset URL-, reset .

?

.