...

View Full Version : Event Manager- Forgotten Password Page



ridgey28
10-18-2009, 03:46 PM
Hi I am improving and modifying a simple event manager. The login form has a forgotten password link which obviously leads to the forgot password page. Is there anyway I can prevent direct access to the forgotten password file i.e. from someone being able to type http://yoursite.com/admin/forgotPass.php in the address bar?

Thanks in Advance

Tracy

mlseim
10-18-2009, 07:13 PM
If there's a link to it already, what difference does it make?
Why is it a problem if someone enters it on the address bar?

Phil Jackson
10-18-2009, 07:40 PM
there is no plausible reason for why you would need to do this as stated above by mlseim. If your worried about "hack attempts" then secure your code to the best of your ability.

ridgey28
10-18-2009, 07:44 PM
It was just from a security point of view. The original script had a password reset function which sent a link to the users email address, the user would then click on the link which would take you to another page from which you can change your password. I have changed this to send the user a new encrypted password on input of an email address instead.

Phil Jackson
10-18-2009, 07:45 PM
straight into there mail box or on screen?

ridgey28
10-18-2009, 07:51 PM
to their email.

CFMaBiSmAd
10-18-2009, 07:53 PM
You should only replace the original password when the 'new' password gets used. This will prevent someone from going through a bunch of usernames on your site, requesting 'forgotten' passwords and causing the original passwords to be replaced with the 'new' ones.

ridgey28
10-18-2009, 08:16 PM
I see what you mean. Currently the username is the email address and when you click on the forgotten password link and enter the email address, it sends the the user with that email address a new password which is encrypted.

So you are saying instead of changing their password when they enter their email address correctly, send them a temporary password, let them log in with the temporary password then let them create a new password to overwrite the original password.

Would having a security question also improve security more? Do you recommend having an email address as a username or would you recommend having both?

Thanks for your help

bazz
10-19-2009, 04:11 AM
I think what CFMaBiSmAd means (and I would agree), is that when you send the link to the member's email address, you make the thing work so that only when they click that link, will it change the db password value. Otherwise, some hacker could come along and change everyone's password such that they have to learn a new one, when they didn't want it to be changed.

Another thing.... why send the encrypted pwd to the email address? firstly, that route is not secure. also, I would suggest, the user wants a fairly easy to recall password and not a 32 character one.

So, basically, send them a link which works only for say 24hrs. that emans it will have a value which is changed every 24hrs. unless the value in that url matches, access to the change-my-password script cannot happen. once in that scipt, they can submit a new pwd and perhaps a security question and a prompt/aide memoire for it.

hth
bazz

ridgey28
10-19-2009, 12:47 PM
I see what you mean. Currently the username is the email address and when you click on the forgotten password link and enter the email address, it sends the the user with that email address a new password which is encrypted

Sorry I got that wrong. It sent the user a random password which is encrypted with md5 & $salt, in the database, not sent encrypted.



EZ Archive Ads Plugin for vBulletin Copyright 2006 Computer Help Forum