I am using the EZ Publish CMS:
What is currently happening:
From the forgot password page, user enters the email address that they
used to register and submits
User receives an email with a password generating link which
uses a hash to confirm their identity.
User receives an email with a freshly generated password
User returns to site using the link from their email which takes them
to a form that asks for the old password (which was just generated
and has been sent to their email) and for them to enter a new
password.
What I want to happen:
From the "forgot password" page, user enters the email address that they
used to register and submits
User receives an email with a link to the "enter new password" form
On the "enter new password" form, user is not required to enter old
password because identity has already been confirmed by hash and
therefore only has to enter the new password.
I am using the EZMBPAEX extension which has the original 4 step process.
There doesn't seem to be any documentation or discussion about removing the "email the user a new password" step but my client has a very strict no passwords sent by email policy so I can't flex on this.
Does anyone know where I can find documentation on how to edit this functionality?
I think the file that will need to be edited is located in:
/extension/ezmbpaex/modules/userpaex/forgotpassword.php
First of All create a function to generate a random string for you, let's say you need to create a random string of 32 caracters, choose any number of caracters you want
Function to generate random code which will be sent by email and added to db
function genRandomString() {
$length = 32;
$characters = "0123456789abcdefghijklmnopqrstuvwxyz";
$string ="";
for ($p = 0; $p < $length; $p++) {
$string .= $characters[mt_rand(0, (strlen($characters))-1)];
}
return $string;
}
Next, create a new table using php myAdmin, a table names forgotten_passes which contain three columns, let's say you already did that
$key = genRandomString(); // assign random code
$assign = $db->query("INSERT INTO `YOUR_DB_NAME`.`forgotten_pass` (`email` ,`randomKey` , `time`)
VALUES ('$email', '$key', CURRENT_TIMESTAMP );");
Next send an email which contain a link to your resetpassword.php page ( the page where user asked to choose a new password and confirm it, but do not forget to assign the generated key to a get variable , that's easy, just when you the link
www.yourdomain.com/pass_reset.php ( ADD ?secretkey=THE_GENERATED_HERE )
so the link sent to the email adresse of the person who need to reset the password should contain something like :
Hello username, to reset your password click on the link below or copy/past it into your browser
The link : http://www.yourdomain.com/pass_reset.php?secretKey=a12s236d5c8d4fkejus10a1s2d4c8741
When user click on the link, he will go to a page which verify his email and its corresponding random key in sql database, if it found that there are really an email and that random kay, then the user is really confirmed it's email, so this page should contain something like below :
<?php
if (isset($_GET['secretKey'])) {
$secretKey = $_GET['secretKey'];
// Check wether it really exist in database
$sql = 'select * from forgotten_pass WHERE email=$The_User_Email and randomKey='$secretKey'';
}
Now, just count the number of rows to see if there are returned data, if there are returned data than the user really connected to its inbox and clicked the link.
Just do the following :
if mysql_num_rows($sql)>0 { echo "Success, ";
?>
// in this part type the html code which displays two inputs text, password
// and confirm password that connect to database and update the user's password
<form method="post" action="passupdate.php">
<input name="password" value =""/>
<input name"confirmedPassword" value=""/>
<input type="submit" value="Save my new password">
</form>
<?php
} else {
echo "Sorry, invalid reset link";
}
When I updated the plugin it had the number of steps I wanted.
Related
Is checking against my table with the user's email and dedicated hash enough to verify and activate an account if a match is found against those two values?
A user is asked to register themselves with user data and their email id. They are then sent a URL to their email which they are asked to click on to confirm and activate their account.
This is my current setup:
<?php //The user-account-creation processing page
$email_id = taken from user input;
$randomnessWhateverItsCalled = "lots-of-randomness-here";
UPDATE advert SET advert_hash = SHA1(CONCAT($email_id, $randomnessWhateverItsCalled))
//For simplicity's sake I omitted the PDO stuff
INSERT INTO table_name (..., user_email, hash, account_activated, ...) VALUES (..., usersEmail, advert_hash, NO, ...)
/**
Send an email with some php code with the URL that would look like this
URL to click on attached to email body:
*/
$attachStringToEmailBody = "http://www.domainname.com/activate-user?email_id=" . $usersEmail . "&hash=" . $randomnessWhateverItsCalled;
enter code here
//Send email from this process page with a little email php code
//Redirect user to a page informing the user to activate the account by visiting their email and clicking on the url
?>
Then in the activate-user.php page I have the following:
<?ph
$user_email = $_GET['email_id'];
$hash = $_GET['hash'];
/**
search database and return a row if there is a match containing both the $user_email and the $hash
if(match){
Update database and set the `account_activated` column to `YES`
}
else{
//Tell if there was no match then activation failed
//Let the user know that we do not recognise the link they used to try and activate their account.
}
*/
?>
It seems secure enough, as long as you made the "randomness" part hard to guess. You can put there the email, username, password, etc. and mix them up with another key - all encrypted - that's what I usually do.
But I would advise you to use 0/1 for active/inactive - why using strings, when you can do the same with smallint (1) - and save some space, thus making the database a bit lighter ?
I've a website and its access should be restricted. So, on entering the page, before page load we should restrict the access with three fields i.e., username and password of client and specific password for that page, these three were created by me and are stored in a database.
I've basic knowledge of Javascript and PHP.
My idea is before the page load, Javascript should get the three field values entered by user and by PHP we have to validate using a database, if the match occurs then page should load if not the access to that page should be denied.
in brief on hitting URL and before page load connection to the database has to be made and user/client entered 3 fields should be taken and be verified with MYSQL database by PHP and on successful authentication page should be displayed.
Please come up with code suggestions. Thanks in advance :)
i have created a function which you may use:
<?php
function login($username,$password,$salt,$db,$table,$usercolumn,$passwordcolumn,$con)
{
$user=mysql_real_escape_string($username);
$password=mysql_real_escape_string($password);
$db=mysql_select_db($db,$con);
if(!$db)
{
return "connection error";
}
else
{
$sql="SELECT * FROM `$table` WHERE `$usercolumn`='$user';";
$enc=$password;
foreach($salt as $value)
{
if($value=="md5")
{
$enc=md5($enc);
}else
{
$enc=crypt($enc,$value);
}
}
$resource=mysql_query($sql);
$row=mysql_fetch_array($resource);
$passdb=$row[$passwordcolumn];
if($passdb==$enc)
{
$sucess=true;
}else
{
$sucess=false;
}
}
return $sucess;
}
?>
you may use this and if it returns true, that means username and passwords are correct now you have to validate your third option...
to use this function, you just need to call like this after copying that function to a file, if it is named to "logger.php",
<?php
require("logger.php");
$enc=array("salt","md5","differentsalt")//your encryption such as if you have encrypted using 'salt' at first then using md5 hash and again 'differentsalt',then you need to give like i have given
if(login($username,$password,$enc,$db,$table_name,$usercolumn,$passwordcolumn,$con))//$username is the username which user supplied,$password is password user supplied,$enc is the encryption and it must be an array... which is also given above,$db is database name,$table_name is the table where username and encrypted password are stored,$usercolumn is the column name where username are stored, $passwordcolumn is the column where encrypted password are stored, and last $con is the connection identifier, you may have given, $con=mysqli_connect("username","password");
//if all the parameters are supplied correctly, it will check for the username and password matching and you will have to check the third option
{
//now validate your third option here...
//if you are here, that means password and username has matched
}
else
{
//this means username and password didnt matched... so output the error
}
?>
for accepting username and password, you may create a form and ask password there and then submit...
Closed. This question needs to be more focused. It is not currently accepting answers.
Want to improve this question? Update the question so it focuses on one problem only by editing this post.
Closed 5 years ago.
Improve this question
I am trying to send the user an email with a link (like many sites do) and when they click this link, their account will be activated. How exactly would I do this in Php?
I would do it this way:
1) Upon completion of registration, flag account as inactive (pending confirmation), and create two strings of random characters.
2) Store both strings in the database and associate them with the user.
3) Email a link to the user that has a link back to a page on your site and contains both strings.
Ex: www.mysite.com/confirm.php?auth1=j0832r2&auth2=fji4j32ion
4) Have your page check that both codes match, and if so, flag the account as active.
Hope this helps.
Here's the section of code that I use to send verification emails.
//create login hash
$hash = hash('whirlpool', $user->authentication->password . time() . $user->authentication->salt);
if( !Quick_Login::add($hash, $user->userid, time() + 3600, 0) )
{
// die
}
//load email template
ob_start();
include('templates/account_create.html');
$body = ob_get_clean();
if( Mail::sendMail($user->contact->email, 'no-reply-automator#domain.com', "Email Verification", $body) )
{
//redirect to login
throw new RedirectBrowserException("/index.php?code=6");
}
The Mail class is a simple mailer that I built, you can easily just use the php mail() function.
The email template that's loaded here is this:
<html>
<body>
<div style="width: 600px; border: 2px solid #E9EBF6; margin: auto; font-size: 16px; color: #555555;">
<h1 style="margin: 0; padding: 8px; background-color: #E9EBF6; text-align: center;">
Hello, <?=$user->fname;?>!
</h1>
<div style="overflow: hidden; padding: 8px; padding-top: 0; background-color: #F5F6FB;">
<p>You are receiving this email because you (or someone pretending to be you!) has signed up for a new account on the Domain System.</p>
<p>If you would like to verify this email account (and you must in order to use the system), please click this link.</p>
<p>If you don't know what this is about, or you don't want the account, simply do nothing.</p>
<p>The quick login link above is a one-time access pass to your account. Please use the link to verify your email address and complete your account signup.</p>
<br />
<p>Thanks!</p>
<p>-Domain</p>
</div>
</div>
</body>
</html>
The link they click in there goes to this script (verify.php):
<?php
set_include_path('../../backbone:../../global:../../jquery:../../components:../../content:../../images:../../model:../../render:../../scripts:../../styles');
require_once('RedirectBrowserException.php');
require_once('User.php');
require_once('Session.php');
require_once('Quick_Login.php');
setSession(0, '/');
$code = isset($_GET['code']) ? $_GET['code'] : null;
if( $code )
{
$ql = Quick_Login::getByHash($code);
if( $ql )
{
$user = User::getByID($ql->userid);
$user->disabled = 0;
$user->save();
setSessionVar('active', true);
setSessionVar('roleid', $user->authentication->role->roleid);
setSessionVar('userid', $user->userid);
$ql->used = 1;
$ql->save();
throw new RedirectBrowserException("/home.php?code=0");
}
else
{
throw new RedirectBrowserException('/index.php?code=9');
}
}
else
{
throw new RedirectBrowserException('/index.php?code=9');
}
?>
You'll see in that last script that it sets disabled=0 on their account, as well as logging them in (setting active on their session, and assigning their roleid and userid on the session).
Hope this helps.
Update
This is what's happening under the hood without all the code.
A random string of characters is created (preferably one that is not randomly guessable)
That string is stored in the database, with a link to the user's ID
An email is sent to the user containing a link to a script and the hash (e.g., verify.php?code=sdflnsdlknsge98y32598swob)
When the user clicks the link, the script handling it checks the database for that string (sdflnsdlknsge98y32598swob). If it's valid, it sets a flag on the user's account that indicates that they have validated their email address.
[OPTIONAL] The script can also log the user in automatically when they verify their email address.
I do the following.
Collect their email address and password
Store their password as a protected hash. I'm using PHP 7 so I use
password_hash($user_password, PASSWORD_DEFAULT);
Create and store a unique confirmation ID. I'm anal and paranoid, so I create long strings. In this case, 64 characters (32 bytes, bin2hex = 64 characters).
$confirm_code = bin2hex(random_bytes(32));
Email the user the confirmation link built using $confirm_code.
When the user clicks the link, set a database flag (e.g., "active_user") to indicate confirmation is complete. I do not delete the confirmation code.
OK, remember that I'm anal and paranoid. The backend does not delete the confirmation code and every new confirmation code is checked against all previous confirmation codes to ensure it really is unique. Why? So people can't happenstantially use their email link at a later date to confirm an account that isn't actually theirs and to guarantee no one gets a confirmation code that was issued to but possibly not used by someone else. (Remember, nothing is ever actually "unique" or "random" in the world of computers. If you don't check, you don't know.)
Also, you should NEVER automatically log someone in from their confirmation link. That's a huge security violation. Anyone could click the link before activation and suddenly they have full access to the account. Always force users to log in after confirmation.
The way that I have done it many times is during registration, Keep a field in the members table of "Active" being a bool (0 or 1) 0 being no, 1 being yes. During registration mark them as a 0. Also you will need a field of registration code. Or you can create a new table of userid/registration code and compare it.
When the user registered, create a unique code. Log that code and send them an email. when they click on the link in the email, check against the table with the code and if it matches a code in the db, change the active field for that user to 1
When they register, add a unique ID to the database for their username. Also have an "active" column set to 0. To send them an email, use the PHP mail() function. Have a link in the email linking to yoursite.com/activate?id=uniqueid. Fetch the ID on activate.php, do some checks, and set the "active" column in the database to 1.
I'm using joomla 1.7 and I want for some users to not have the option to insert a username.
I'm trying to set that on registration (for said users) the system will save the inputted email in the username field and the email field, and remove the username textbox from the form.
I know i need to insert $data['username'] = $data['email'] somewhere but I cant find the right place.
I tried to put it like this in the registration model under public function register($temp) with no success. I can't find another logical place to put it.
// Prepare the data for the user object.
$data['my_teacher'] = $data['my_teacher'];
$data['email'] = $data['email1'];
$data['username'] = $data['email1'];
$data['password'] = $data['password1'];
$useractivation = $params->get('useractivation');
i found a way to do this
just add
if(isset($temp['email1'])){
$temp['username'] = $temp['email1'];
}
right under
$temp = (array)$app->getUserState('com_users.registration.data', array());
in the module file and then remove the "username" fiels from the .xml and add a hidden field named:jform[username] and id:jform_username in the default.php file in the views/registration/tmpl
the line looks like this
<input type="text" name="jform[username]" id="jform_username" value="<?php echo 'something.random.that.will.be.replaced.with.the.email'; ?>" style="visibility:hidden;">
all the files that i am talking about are under /components/com_users/
it should work...
http://extensions.joomla.org/extensions/access-a-security/authentication/10343
The above extension will remove the need for users to enter a username on registration. However it generates a username based on the name field. It uses the email address as the username only as a last resort, because this can cause problems with certain extensions in Joomla. It also allows users to login with their email address.
Dylan
i am using jquery chat tutorial
for chatting. I am working on this to make registration separately using a username and password.
Right now it is taking username and gravatar for registration. I changed my code for registration. But if it gets a username in the database, it just updates its timestamp and password leaving the username unchanged. But i want to show error if the username already exists. How can i achieve this goal?
Also it is deleting the user from database after some time of idle state. How can i remove this functionality?
Set the name field in webchat_users to unique. Or insert following lines of code into your PHP class:
$userEnteredName = 'John';
$row = mysql_fetch_assoc(DB::query("SELECT `name` FROM `webchat_users` WHERE `name` LIKE '".mysql_real_escape_string($userEnteredName)."' LIMIT 1"));
if(!empty($row['name'])) {
// Username taken
die('Username taken.');
} else {
// Proceed registration.
}
For your second problem: Simply remove line 33 & 34 from Chat.class.php.