shoebox

cheers; was just not thinking about it properly.

Hi, I have a logon system with a forgotten password process that mails the user a link like: http://localhost/myProject/changePassword.php?email=user@gmail.com&key=28623674 to change their password; it works fine. I was just wondering, from a security perspective, like facebooks, is there a way to redirect the user is they go mucking with the URL in the browser toolbar? thanks, SB

Hi, I think the problem is with not having GET variables; I'm not sure where to have them either, I use 3 files, I'll paste the important parts in here. <<forgotPassword.php>> .... <div id="page"> <h1 style="text-align:center;margin-left:auto;margin-right:auto;">Forgotten Password</h1> <h2>Please enter your email address below & check your mail for instructions</h2> <br /> <br /> </div> <?php session_start(); if( isset($_POST['submit'])) { if( $_SESSION['security_code'] == $_POST['security_code'] && !empty($_SESSION['security_code'] ) ) { // Insert you code for processing the form here, e.g emailing the submission, entering it into a database. echo 'Thank you. Your message said "'.$_POST['message'].'"'; unset($_SESSION['security_code']); } else { // Insert your code for showing an error message here echo 'Sorry, you have provided an invalid security code'; } } else { ?> <form method="post" action="sendEmailAddress.php"> <div id="container"> <div id="main"> Email: <input type="text" name="email" id="email" /><br /> <br /> <br /> <img src="CaptchaSecurityImages.php?width=100&height=40&characters=5" /><br /> <label for="security_code">Enter security code above: </label><input id="security_code" name="security_code" type="text" /> <br></br> <br></br> <input type="submit" value="Submit" name="submit" id="submit" /> .... <<sendEmailAddress.php>> if (isset ( $_POST ['submit'] )) { if ($_SESSION ['security_code'] == $_POST ['security_code'] && ! empty ( $_SESSION ['security_code'] )) { $email = $_POST ['email']; $site_owners_email = 'me@gmail.com'; // Replace this with your own email address $site_owners_name = 'ME; // replace with your name $key=2314123; $pwdLink = 'http://localhost/secureLotto/changePassword.php?email='.$email.'&'.$key=$key; if (! preg_match ( '/^[a-z0-9&\'\.\-_\+]+@[a-z0-9\-]+\.([a-z0-9\-]+\.)*+[a-z]{2}/is', $email )) { $error ['email'] = "Please enter a valid email address"; } if (! $error) { $mailResult = mysql_query ( "SELECT confirm_code FROM members WHERE email='$email'" ); if ($mailResult) { if (mysql_num_rows ( $mailResult ) == 1) { $crap = mysql_result ( $mailResult, 0 ); } else { //Login failed header ( "location: changePassword-failed.php" ); exit (); } } else { die ( "Query failed" ); } require_once ('phpMailer/class.phpmailer.php'); $mail = new PHPMailer (); $mail->IsSMTP (); $mail->Host = 'ssl://smtp.gmail.com:465'; $mail->SMTPAuth = TRUE; $mail->Username = "me@gmail.com"; // SMTP username $mail->Password = "********"; // SMTP password $mail->FromName = 'me'; $mail->From = $email; $mail->Subject = "Forgotten Password"; $mail->AddAddress ( $site_owners_email, $site_owners_name ); $mail->AddAddress ( $email,$name); $mail->Body = 'Please follow this link ' .$pwdLink .' and enter this conformation code ' . $crap; $mail->Send (); echo "<h2 class='success'> Thanks, an email has to sent to " . $email . ". please follow the instructions </h2><h2>(it may be in your spam folder)</h2>"; } # end if no error <<changePassword.php>> ... <form id="changePasswordForm" name="changePasswordForm" method="post" action="changePassword-exec.php"> <input type="hidden" name="md5Pass" value="" /> <input type="hidden" name="md5CPass" value="" /> <table width="300" border="0" align="center" cellpadding="2" cellspacing="0"> <tr> <th width="124">Email</th> <td width="168"><input name="email" type="text" class="textfield" id="email" /></td> </tr> <tr> <th width="124">Confirmation Code</th> <td width="168"><input name="code" type="text" class="textfield" id="code" /></td> </tr> <tr> <th>New Password</th> <td><input name="password" type="password" class="textfield" id="password" onKeyUp="checkPassword(this.value)" /></td> ... any help would be appreciated to tell me where to place the GET variables & reset the link if a user changes it(see first post) thanks, SB

Hi, I have a reset password script that sends a user a link when they complete a 'forgot password' page; they enter their email & validate a captcha image then I send them an email with a unique confirmation code & a link like: $pwdLink = 'http://localhost/myProject/changePassword.php?email='.$email.'&'.key=$actKey; so when they click it, it goes to a browser correctly as : 'http://localhost/myProject/changePassword.php?email=test@test.ie&key=32847238974892374982 but in the browser I can delete all the stuff just to leave: http://localhost/myProject/changePassword.php and I'm on the same page! any ideas? Thanks SB

sorry to but in but can someone check my logon script attached? thanks, SB [attachment deleted by admin]

okay then; I understand then it's a hashed password with a dynamic salt. So from my code above what's th best way to implement this? So far I think I should.... when a user tries to log on the values submitted are username, password & nonce. I cocatenate the nonce to the password & hash this value & post these values. When checking if the passwords match server-side do I just get the password from the db via the select & appended & hash it to the nonce that was passed as hidden??? Thanks, SB

so I guess I stick with the salt I have then? from what you said that makes sense. as for the nonce; if this is random and appended to the password when it is submitted - how do I match that with what is in the DB? thanks, SB

Hi, I'm new to the forum so I hope I'm in the right place. I'm trying to develop a secure login & member system for a club website but am having difficulty in getting my head around salts and nonces for my registration & logon. Here's what I do to reg: $salt = "aB1cD2eF3G"; $salt .= $login; $password = $_POST['password']; $pass = md5($salt.$password); //Create INSERT query $qry = "INSERT INTO members(firstname, lastname, login, passwd) VALUES('$fname','$lname','$login','$pass')"; I know the salt is static & want to have it random; I think that's the idea of a nonce - but would I have to create a separate table for these nonces? anyway; on my logon page I have this $salt = "aB1cD2eF3G"; $salt .= $login; $pass = md5 ( $salt . $password ); //Create query $qry = "SELECT * FROM members WHERE login='$login' AND passwd='$pass'"; $result = mysql_query ( $qry ); //Check whether the query was successful or not if ($result) { if (mysql_num_rows ( $result ) == 1) { if (condition) { } //Login Successful session_regenerate_id (); which works but i'm concerned with the problem above. Finally, I just ahve this bit for nonce & timestamp: // Security Checks if (($timeStamp != $_SESSION ['TIME'])) { $errmsg_arr [] = 'timeStamp amended: Security Hijack'; $errflag = true; } if (($nonce != $_SESSION ['RAND'])) { $errmsg_arr [] = 'nonce missing: Security Hijack'; $errflag = true; } I get the RAND & TIME from hidden field. I guess I'm just looking for advice. Thanks, SB