best practice to generate random token for forgot password

A common practice for generating a random token for a "forgot password" feature in PHP is to use the built-in functions random_bytes and bin2hex. random_bytes generates a specified number of cryptographically secure random bytes, and bin2hex converts those bytes to a hexadecimal string. The resulting token can then be stored in a database and sent to the user via email. An example implementation might look like this:

<?php

$token = bin2hex(random_bytes(32));
echo $token;

This will generate a 64-character hexadecimal token.

Another way is to use the function openssl_random_pseudo_bytes() which is a more secure way to generate random token and convert it to hexadecimal string.

<?php

$token = bin2hex(openssl_random_pseudo_bytes(32));
echo $token;

This will also generate a 64-character hexadecimal token.

It's important to also consider the token's expiration time and to check for token validity when the user attempts to reset their password.