``` ### How It Works: 1. **User Input**: The user provides their email on the `forgot_password.php` page. 2. **Account Check**: The server checks if an **approved** user exists with that email. For security, it shows the same success message whether the email is found or not to prevent attackers from guessing which emails are registered. 3. **Token Generation**: A unique, secure token is created with a 1-hour expiry time. 4. **Database Update**: The `users` table is updated with this new token for the specific user. 5. **Email Dispatch**: An email is sent to the user containing a unique link to `password_setup.php`. This link includes the token. 6. **Password Reset**: The user clicks the link, and the `password_setup.php` page verifies the token is valid and not expired, allowing them to set a new 4-digit PIN. This provides a secure and standard way for your users to regain access to their accounts if they forget their password.