Im currently creating signup form in fuelphp how can I implement sending a user a verification link upon user signup? you can also suggest from other framework like laravel I only need the flow on implementing this. Thanks in advance ^_^
The general approach is that after registration you generate a confirmation token and you store it somewhere. It is also common that you set an is confirmed flag to false. In case of Simple Auth you might want to add some fields to the user table. Make sure to include them in the selected fields.
You will also need a controller action which accepts the token. I would also put the username/email into the URL so that simply hitting the confirmation URL with random characters won't work. Find it by username/email and token and validate it, activate the user. Make sure that after validation you clear the token. You don't need it and you want to prevent double verification with the same token (in case you set the user to an unconfirmed state for some reason).
A hook in the login action is needed as well: you need to check whether the account is validated or not. Do not authenticate at first, just validate the user. If it is valid, check if it is confirmed or not. If not, fail with error, if it is then continue with the login process.
When the registration is complete, you send an email to the given email address with a URL to the confirmation page (generated URL containing username/email and confirmation token). (Username/email can be obfuscated/encrypted if it is reversible)
Related
Fairly new here... just need a bit of help if anyone would be so kind?
So I have a confirmation form but I only want people that are using a link sent from the registration form. I tried sending a URL query in that link:
website.com?token=token
Then if you open the confirmation page I check if that token is set, proper length, and pattern, then check it against a database, and if they were already verified.
... the problem I have is submitting the form on that page. I’ve already checked the URL query so the form doesn’t include an input for the token I only ask for a username and password.
Since the code is somewhat long the error SEEMS to comes down to:
if(isset($_POST(‘confirm’)){
// Do form stuff
}elseif(isset($_GET(‘token’)){
// Do token stuff
}else{
// Kick off page
}
The button on the form is 100% named right and the method is post on the form but as soon as I submit I get the //kick off the page error message. I also get kicked off the page without a valid token so I don’t understand what’s not working (also not really sure if this is a good way to do this?)
I'm not familiar with PHP / MySQL and Emails. And I'm pretty sure this question has been asked somewhere already, but I cannot find it. So I apologise if this is troubling and thank you in advance!
Is it possible to do something that user has to click on a link in email first before the user is added into database???
And you know how, for some websites, they have a unique web address for each email validation (Shown in red on the picture)? How do they create a webpage that's unique in for every email ?
Picture credited: https://kayako.atlassian.net/wiki/download/attachments/5734920/subs-validation.png?version=1&modificationDate=1291956283000&api=v2
Thank you a lot for the attention! If it's possible, I prefer not having straight scripts that I can copy and paste because I like to find out myself :P But please do give me some hints because I'm totally lost.
If there's anything that's not clear, please tell me, I'll try my best to clarify it!
The Registration process
User fills out a form online with basic details including an email and password, and submits the form to register.php
register.php adds user info to a temporary location, such as a pending_users table which has all the fields the user submitted along with an expiration and an activation_code fields. This code can be any random, impossible to guess value. eg: hash('sha1', mt_rand(10000,99999).md_rand(10000,99999)). Just don't do anything predictable such as hash the current time, or the username
register.php sends an email to the user with a URL that will link to activate.php and that includes the activation code. eg: example.com/activate.php?code=a2ef24... The email should also inform the user of the expiration (1 to 12hrs validity seems ok to me)
When user clicks the link, she triggers a GET request to activate.php. In doing so, the user proves ownership of the email address
activate.php gets the code from the request parameters, eg: $code=$_GET['code']. With that code, the script queries the pending_users table for the record matching that code.
If the code is found, check that it hasn't expired before proceeding. Expiration prevents someone else much later who gets in the user's account from completing the registration.
If the code is valid, capture the user details from the matching record and delete that record from pending_users table.
Write a matching record in the regular users table. Until this is done, the user could not log in because login script only checks the users table, and ignores the pending_users table.
Registration complete.
Security Note I:
For your users' protection, never store passwords in cleartext. When you receive it from the registration form (eg: $_POST['pwd'], do:
$pwd = $_POST['pwd'];
//first validate; it should meet minimum requirements
$pwd_hash = password_hash($pwd, PASSWORD_DEFAULT); // <- the hash gets stored
Later, to verify the password, do:
password_verify($cleartext_pwd, $pwd_hash);
It will return true if the password is correct; false otherwise.
Security Note II:
For your protection, never insert user supplied values directly in your DB queries. This means any value that arrives from the outside. Not just usernames, emails, passwords... but also values that you're getting back from the user such as activation_code above or cookie values or headers (eg User-Agent). Instead, learn to use prepared statements. This will protect you from SQL injection.
Not sure if it's possible to add datas in database after the validation...
When I want to do something like that, I create a data in the users table (or metas users table) like "validate".
If this data is "true", then the user already did the validation and he can use his account. If it's still set on "false", the user didn't validate his account : he can't use it.
With that, you have to make sure the account is validate when the user tries to log in, but it's not a big deal ^^
Hope it's usefull.
Those are not a unique websites, there is only one script validating the registration finalization. The incoming requests (when the user has clicked the link) are routed all to the same script by means of server side "request rewriting", so that the random token value is available as an argument (parameter) to the script execution.
What the script does: it checks if that random token value does exist in the database where it has been generated and stored before when the user actually registered.
The only thing left to do for that script is to remove the confirmation random token and/or set a flag indicating that the registered use has actually confirmed his identify (email address) by clicking the link.
Easy and straight forward. Hard to bypass, since you cannot guess what random token value has been generated for what registered user without receiving the email. However take into consideration that it is trivial for an attacking script to use anonymous email services (one time email addresses) to receive and evaluate such a confirmation request, if the process is known to the attacker.
I am working with a partner site to embed a form onto my site where users can login to a portal. The portal developer has granted me access to a web-login service in order for me to pass variables from my site to his.
This is the information given How can I make this work in PHP, I have a form with a checkbox, and username and password but don't quite know how to make it pass variables I am not seeing any connection on my end. And I don't know how to set it up where they are redirected to a page on my site when the reset their password any ideas?
I have done this before using a WordPress login and adding it to my main site so I know most of the basics to make it work but what I have applied so far has not worked for me. I guess I need a little nudge in the right direction to get the brain working again.
Thanks in advance.
From the Developer
I am working on a web login service that you could use and have enough done that I can
send you the requirements.
Form Post URL: http://portal.blank.com/services/formlogin.cfm
Form variables:
portallogin - can be any value if present the following form variables are required:
errorurl - URL to be redirected to if an error occured. There will be an "error" url variable present with a human readable error string.
portalurl - (optional) URL to be redirected to if successfully logged in. if not present will be redirected to http://portal.blank.com
username - username of user
password - password of user
agreeterms - can be any value just needs to be present to authenticate
fogotpassword - can be any value if present will lookup password based on email address and password will be emailed
email - email address associated with user
returnurl - URL to be redirected to after running password lookup
An easy method would be to use Snoopy, a PHP class. A harder method (but no less effective) would be to use PHP's cURL functions to post your data to the form. This is assuming you're trying to keep your link to your partner's site hidden from your users.
Alternatively, you could just make a simple HTML form and set the form action to "http://portal.blank.com/services/formlogin.cfm" if you don't care that your users know you're authenticating them against some other site. I'd use https if available.
I'm using the creditsystem.com/ws API.
In order to send requests to creditsystem on my page, I have to specify the account username and password in my form (this is an account received from creditsystem).
Obviously, I can't show those values to the end user. The fields will be hidden, but the user could browse the code and see the username/password of the creditsystem account.
How to do this securely?
One idea I had was to call a secure page via ajax (and sending a token), which will then call another ajax and return the response from the creditsystem. But I'm not sure whether this would work and whether this would be a correct approach.
I would suggest you to collect the form data inputted by the user, then using curl you could send a POST request to the website, in which you include your username, password and the other data provided by the user. In this way the call to the API is done server-side and not client-side, avoiding any problem concerning your username/password visibility.
You can find a lot of examples on the web: http://www.google.com/search?q=php+curl+post.
I have a login form set up on my domain (eg: www.example.com/login).
When the user enters their login information, I need those details to be passed through a login form on an external website and the user directed to the application that they are logging into.
So to add the user steps to this:
1. User enters login information on www.example.com/login
2. User is directed to and has access to application on www.external.com/application without having to re-enter login details at www.external.com/login
The problem is, I'm not sure how to go about doing this. I found some references to cURL which from what I could gather is the best approach to take.
Any help with this would be appreciated .. I'm a PHP novice! Also ... the application on the external website is ASP.NET (I'm not sure if this has any factor on getting this to work).
Thanks for your help, Mark.
Depending on how your application works, what could work is have your login form on example.com/login point to external.com/application
so your form tag would look like this:
<form action="external.com/application" method="post">
Now your external.com/application will have to be setup to accept the data from the login form. When the form is submitted the browser should direct itself to external.com/application.
This is a possible approach :
On www.example.com/login, do a classic login form which is submitted on itself
On www.example.com/login, when a $_POST is detected :
check that the credentials are good
if yes, store within a table in you db server an hash dedicated to this user (by hashing his id/user/etc... whatever you wish)
redirect to www.external.com/login?hash=the_generated_hash
On www.example.com/verifyHash.php:
create a simple php file that take a hash in $_GET and echo "true" if this hash exists in your db
on www.external.com/login
check that a hash is passed in $_GET
if yes, do a simple $result = file_get_contents("www.example.com/verifyHash.php?hash=$_GET["hash"]");
if the result is true then you can assume that the user has valid credentials.
Of course, you can optimize this whole thing by passing a user id along your hash, by implementing some security when your asking remotly verifyHash, etc...