diff --git a/forgotpass.php b/forgotpass.php
index efddf7a..a3e6a8b 100644
--- a/forgotpass.php
+++ b/forgotpass.php
@@ -40,7 +40,7 @@ if(isset($_GET['send']) ) {
  $mailrcpt = $user['email'];
  $mailsubject = "New password for your User";
  $from = "From: Password Reset Service <resetmypw@invalid.example.com>"; //place a real address if we use this in production
- $url_passwordcode = 'https://loginpagefoo.td00.de/forgotpass.php?userid='.$user['id'].'&code='.$passwordcode; //this shouldnt be my domain in prod..
+ $url_passwordcode = 'https://loginpagefoo.td00.de/resetpass.php?userid='.$user['id'].'&code='.$passwordcode; //this shouldnt be my domain in prod..
  $text = 'Hallo '.$user['username'].',
 please use the following URL to change your password in the next 24h:
 '.$url_passwordcode.'
diff --git a/resetpass.php b/resetpass.php
new file mode 100644
index 0000000..16000d6
--- /dev/null
+++ b/resetpass.php
@@ -0,0 +1,60 @@
+<?php
+$pdo = new PDO('mysql:host=localhost;dbname=usertable', 'usertable', 'password');
+ 
+if(!isset($_GET['userid']) || !isset($_GET['code'])) {
+ die("No code delivered. nothing to do here.");
+}
+ 
+$userid = $_GET['userid'];
+$code = $_GET['code'];
+ 
+
+$statement = $pdo->prepare("SELECT * FROM users WHERE id = :userid");
+$result = $statement->execute(array('userid' => $userid));
+$user = $statement->fetch();
+ 
+//check if theres a code for the user delivered
+if($user === null || $user['passwordcode'] === null) {
+ die("No User matching your request.");
+}
+ 
+if($user['passwordcode_time'] === null || strtotime($user['passwordcode_time']) < (time()-24*3600) ) {
+ die("Ooops. This code isn't valid anymore.");
+}
+ 
+ 
+
+if(sha1($code) != $user['passwordcode']) {
+ die("Thats not your code. Naughty user!");
+}
+ 
+
+ 
+if(isset($_GET['send'])) {
+ $password = $_POST['password'];
+ $password_confirm = $_POST['password_confirm'];
+ 
+ if($password != $password_confirm) {
+ echo "password or confirmed password wrong";
+ } else { 
+ $passwordhash = password_hash($password, PASSWORD_DEFAULT);
+ $statement = $pdo->prepare("UPDATE users SET password = :passwordhash, passwordcode = NULL, passwordcode_time = NULL WHERE id = :userid");
+ $result = $statement->execute(array('passwordhash' => $passwordhash, 'userid'=> $userid ));
+ 
+ if($result) {
+ die('Changed password. Please goto <a href="login.php">login</a> now.');
+ }
+ }
+}
+?>
+ 
+<h1>Set new password</h1>
+<form action="?send=1&amp;userid=<?php echo htmlentities($userid); ?>&amp;code=<?php echo htmlentities($code); ?>" method="post">
+Please enter new password:<br>
+<input type="password" name="password"><br><br>
+ 
+Confirm new password:<br>
+<input type="password" name="password_confirm"><br><br>
+ 
+<input type="submit" value="save change">
+</form>
\ No newline at end of file