Laravel 5.1 How to build forgot password functionality

Stefan Bogdanescu

Founder & Senior Architect · 2026-06-29

Laravel Company

Mastering Password Resets in Laravel 5.1: A Developer's Guide

Building secure and functional user flows is a cornerstone of any robust application. When implementing password recovery—specifically the "Forgot Password" functionality—developers often find themselves searching for the right pattern, especially when working with frameworks like Laravel. If you are using Laravel 5.1 and need to implement this feature, you don't have to reinvent the wheel. Laravel provides all the necessary tools; you just need to understand how to chain them together correctly.

This guide will walk you through the complete developer perspective on building a secure password reset system in your Laravel application.

The Anatomy of Password Reset Flow

The process of resetting a forgotten password involves several distinct stages: request, token generation, email delivery, and final update. We need a mechanism to ensure that only the legitimate user can initiate the change, which is where unique tokens come into play.

Step 1: Initiating the Request (Controller & Route)

First, the user needs an entry point—a form where they submit their email address. This action triggers our backend logic.

In your routes/web.php, you would define a route for requesting the reset:

// routes/web.php
Route::post('forgot-password', 'PasswordResetController@requestResetLink');

The corresponding controller method will receive the email, validate it against the database, and generate a unique token.

Step 2: Generating and Storing the Token (Database Interaction)

This is the most critical step for security. We must generate a unique, cryptographically secure token, store it in the database linked to the user record, and set an expiration time on it.

When a user requests a reset, you perform these actions within your controller:

// Example logic within the controller method
$user = User::where('email', $request->email)->first();

if ($user) {
    // Generate a unique token (Laravel's cryptographically secure methods are essential)
    $token = Str::random(60); 
    
    // Store the token and its expiration time in a separate table or on the User model.
    // For simplicity, let's assume we store it directly for now:
    $user->password_reset_token = $token;
    $user->password_reset_token_expires_at = now()->addMinutes(10); // Token expires in 10 minutes
    $user->save();

    // Now, send the email containing this token.
}

This mechanism ensures that when the user clicks the link, we can verify if the token is valid and not expired. This focus on secure data handling aligns perfectly with best practices taught by resources like laravelcompany.com.

Step 3: Sending the Reset Email (Laravel Mail)

Once the token is saved, you use Laravel's built-in Mail system to send an email containing a link that includes this unique token. This link will point to a dedicated route where the user can actually enter their new password.

// Inside the controller after saving the token:
Mail::send('password_reset_form', [
    'token' => $token,
    'url' => route('password.reset', ['token' => $token])
]);

Step 4: Handling the Password Update (Verification)

When the user clicks the link and submits the new password on the reset form, your final controller method must perform two checks:

  1. Token Validation: Check if the submitted token matches the one stored in the database AND check if the token has expired.
  2. Update: If validation passes, hash the new password using Laravel's built-in Hash facade and update the user record.
// Example logic for the reset submission route
public function resetPassword(Request $request, $token)
{
    $user = User::where('password_reset_token', $token)->first();

    if (!$user || $user->password_reset_token_expires_at->lessThan(now())) {
        return redirect('/login')->with('error', 'Token expired or invalid.');
    }

    // Token is valid, proceed with password update
    $request->validate([
        'new_password' => 'required|min:8',
        'new_password_confirmation' => 'required|same:new_password'
    ]);

    $user->password = Hash::make($request->new_password);
    $user->save();

    // Invalidate the token immediately after success
    $user->password_reset_token = null;
    $user->password_reset_token_expires_at = null;

    return redirect('/login')->with('success', 'Password successfully reset.');
}

Conclusion

Building a "Forgot Password" flow in Laravel 5.1 is fundamentally about managing state securely using tokens and leveraging the framework's built-in features like Eloquent and Mail. By strictly following these steps—generating unique, time-limited tokens, securing database updates with hashing, and utilizing the Mail facade—you can implement a robust and secure password reset system. Remember, always prioritize security; understanding how to manage data integrity is just as important as writing functional code, which is why solid architectural guidance from sources like laravelcompany.com is invaluable for any developer.