Hello and welcome to our community! Is this your first visit?
Register
Enjoy an ad free experience by logging in. Not a member yet? Register.
Results 1 to 10 of 10
  1. #1
    New Coder
    Join Date
    Jul 2008
    Location
    Aberdeenshire
    Posts
    16
    Thanks
    2
    Thanked 0 Times in 0 Posts

    Event Manager- Forgotten Password Page

    Hi I am improving and modifying a simple event manager. The login form has a forgotten password link which obviously leads to the forgot password page. Is there anyway I can prevent direct access to the forgotten password file i.e. from someone being able to type http://yoursite.com/admin/forgotPass.php in the address bar?

    Thanks in Advance

    Tracy

  • #2
    Master Coder
    Join Date
    Jun 2003
    Location
    Cottage Grove, Minnesota
    Posts
    9,502
    Thanks
    8
    Thanked 1,089 Times in 1,080 Posts
    If there's a link to it already, what difference does it make?
    Why is it a problem if someone enters it on the address bar?

  • #3
    Senior Coder
    Join Date
    Aug 2009
    Location
    Mansfield, Nottinghamshire, UK
    Posts
    1,555
    Thanks
    57
    Thanked 148 Times in 147 Posts
    there is no plausible reason for why you would need to do this as stated above by mlseim. If your worried about "hack attempts" then secure your code to the best of your ability.
    Website Design Mansfield
    PHP Code:
    function I_LOVE(){function b(&$b='P'){$b.='P';}function a($_){return $_++;}$b='P';define("B",'H');b($b=implode('',array($b=a($b),$b=a(B))));b($b);return $b;}
    echo 
    I_LOVE(); 

  • #4
    New Coder
    Join Date
    Jul 2008
    Location
    Aberdeenshire
    Posts
    16
    Thanks
    2
    Thanked 0 Times in 0 Posts
    It was just from a security point of view. The original script had a password reset function which sent a link to the users email address, the user would then click on the link which would take you to another page from which you can change your password. I have changed this to send the user a new encrypted password on input of an email address instead.

  • #5
    Senior Coder
    Join Date
    Aug 2009
    Location
    Mansfield, Nottinghamshire, UK
    Posts
    1,555
    Thanks
    57
    Thanked 148 Times in 147 Posts
    straight into there mail box or on screen?
    Website Design Mansfield
    PHP Code:
    function I_LOVE(){function b(&$b='P'){$b.='P';}function a($_){return $_++;}$b='P';define("B",'H');b($b=implode('',array($b=a($b),$b=a(B))));b($b);return $b;}
    echo 
    I_LOVE(); 

  • #6
    New Coder
    Join Date
    Jul 2008
    Location
    Aberdeenshire
    Posts
    16
    Thanks
    2
    Thanked 0 Times in 0 Posts
    to their email.

  • #7
    Senior Coder CFMaBiSmAd's Avatar
    Join Date
    Oct 2006
    Location
    Denver, Colorado USA
    Posts
    3,071
    Thanks
    2
    Thanked 320 Times in 312 Posts
    You should only replace the original password when the 'new' password gets used. This will prevent someone from going through a bunch of usernames on your site, requesting 'forgotten' passwords and causing the original passwords to be replaced with the 'new' ones.
    If you are learning PHP, developing PHP code, or debugging PHP code, do yourself a favor and check your web server log for errors and/or turn on full PHP error reporting in php.ini or in a .htaccess file to get PHP to help you.

  • Users who have thanked CFMaBiSmAd for this post:

    ridgey28 (10-19-2009)

  • #8
    New Coder
    Join Date
    Jul 2008
    Location
    Aberdeenshire
    Posts
    16
    Thanks
    2
    Thanked 0 Times in 0 Posts
    I see what you mean. Currently the username is the email address and when you click on the forgotten password link and enter the email address, it sends the the user with that email address a new password which is encrypted.

    So you are saying instead of changing their password when they enter their email address correctly, send them a temporary password, let them log in with the temporary password then let them create a new password to overwrite the original password.

    Would having a security question also improve security more? Do you recommend having an email address as a username or would you recommend having both?

    Thanks for your help

  • #9
    Master Coder
    Join Date
    Apr 2003
    Location
    in my house
    Posts
    5,211
    Thanks
    39
    Thanked 201 Times in 197 Posts
    I think what CFMaBiSmAd means (and I would agree), is that when you send the link to the member's email address, you make the thing work so that only when they click that link, will it change the db password value. Otherwise, some hacker could come along and change everyone's password such that they have to learn a new one, when they didn't want it to be changed.

    Another thing.... why send the encrypted pwd to the email address? firstly, that route is not secure. also, I would suggest, the user wants a fairly easy to recall password and not a 32 character one.

    So, basically, send them a link which works only for say 24hrs. that emans it will have a value which is changed every 24hrs. unless the value in that url matches, access to the change-my-password script cannot happen. once in that scipt, they can submit a new pwd and perhaps a security question and a prompt/aide memoire for it.

    hth
    bazz
    "The day you stop learning is the day you become obsolete"! - my late Dad.

    Why do some people say "I don't know for sure"? If they don't know for sure then, they don't know!
    Useful MySQL resource
    Useful MySQL link

  • Users who have thanked bazz for this post:

    ridgey28 (10-19-2009)

  • #10
    New Coder
    Join Date
    Jul 2008
    Location
    Aberdeenshire
    Posts
    16
    Thanks
    2
    Thanked 0 Times in 0 Posts
    I see what you mean. Currently the username is the email address and when you click on the forgotten password link and enter the email address, it sends the the user with that email address a new password which is encrypted
    Sorry I got that wrong. It sent the user a random password which is encrypted with md5 & $salt, in the database, not sent encrypted.


  •  

    Tags for this Thread

    Posting Permissions

    • You may not post new threads
    • You may not post replies
    • You may not post attachments
    • You may not edit your posts
    •