limitphp Posted December 1, 2008 Share Posted December 1, 2008 Ok, as far as having users being able to update their passwords, I have a page myaccount.php You can only get to it if you've logged in. Once their it displays their info. Name, username, password, and email address. You can only update and change your password and email address. Name and username you cannot change. I'm new to developing this, is that a good policy? As far as dealing with lost passwords, I guess I'll start by storing encrypted passwords in the user table. If they forget their password, I guess I can have them store a security question and an answer. Once they answer the question, send them a new password to their email. Is that a good policy? Or do you think thats too much? Should I just have them give me their first and last name and their email address? I just want to make sure people don't start resetting other people's passwords. Link to comment https://forums.phpfreaks.com/topic/135012-updating-passwords-and-dealing-with-lost-passwords/ Share on other sites More sharing options...
cooldude832 Posted December 1, 2008 Share Posted December 1, 2008 All good except changing emails Changing Emails shouldn't be done unless absolutely necessary This prevents spam accounting Link to comment https://forums.phpfreaks.com/topic/135012-updating-passwords-and-dealing-with-lost-passwords/#findComment-703154 Share on other sites More sharing options...
limitphp Posted December 1, 2008 Author Share Posted December 1, 2008 All good except changing emails Changing Emails shouldn't be done unless absolutely necessary This prevents spam accounting Thank you very much. I will disable the ability to change email addresses. Should I even display the info to them? Like their name, username, and email address? Right now I have it all showing in textboxes with the name, username textboxes disabled. Link to comment https://forums.phpfreaks.com/topic/135012-updating-passwords-and-dealing-with-lost-passwords/#findComment-703157 Share on other sites More sharing options...
The Little Guy Posted December 1, 2008 Share Posted December 1, 2008 Give each user a unique auth code, it would look something like this: a8d4k894kJ0ws45sK then when updating the db, you would do something like this: $auth = $_SESSION['a8d4k894kJ0ws45sK']; mysql_query("UPDATE tableName SET `password` = '{$pass}' WHERE `auth`= '{$auth}' AND `id`='{$_SESSION['id']}'"); Link to comment https://forums.phpfreaks.com/topic/135012-updating-passwords-and-dealing-with-lost-passwords/#findComment-703162 Share on other sites More sharing options...
cooldude832 Posted December 1, 2008 Share Posted December 1, 2008 Give each user a unique auth code, it would look something like this: a8d4k894kJ0ws45sK then when updating the db, you would do something like this: $auth = $_SESSION['a8d4k894kJ0ws45sK']; mysql_query("UPDATE tableName SET `password` = '{$pass}' WHERE `auth`= '{$auth}' AND `id`='{$_SESSION['id']}'"); Not really necessary if they login they are fine, NOt changing email also prevents you from not being able to pw recover Link to comment https://forums.phpfreaks.com/topic/135012-updating-passwords-and-dealing-with-lost-passwords/#findComment-703166 Share on other sites More sharing options...
limitphp Posted December 1, 2008 Author Share Posted December 1, 2008 nevermind, he just answered my question. Link to comment https://forums.phpfreaks.com/topic/135012-updating-passwords-and-dealing-with-lost-passwords/#findComment-703172 Share on other sites More sharing options...
limitphp Posted December 1, 2008 Author Share Posted December 1, 2008 NOt changing email also prevents you from not being able to pw recover Do you mean, if they cannot change their email then I can do password recoveries sent to their email address? Link to comment https://forums.phpfreaks.com/topic/135012-updating-passwords-and-dealing-with-lost-passwords/#findComment-703173 Share on other sites More sharing options...
The Little Guy Posted December 1, 2008 Share Posted December 1, 2008 I wouldn't allow for a user to change their email, the one they give should be the one they use for keeps. Link to comment https://forums.phpfreaks.com/topic/135012-updating-passwords-and-dealing-with-lost-passwords/#findComment-703175 Share on other sites More sharing options...
cooldude832 Posted December 1, 2008 Share Posted December 1, 2008 Yes exactly If they get hacked that means they can still PW recover with their original email account Link to comment https://forums.phpfreaks.com/topic/135012-updating-passwords-and-dealing-with-lost-passwords/#findComment-703176 Share on other sites More sharing options...
Mchl Posted December 1, 2008 Share Posted December 1, 2008 Suppose I can no longer access email I registered with. What I'm supposed to do? Register again? What if your site's TOS forbid having multiple accounts? If you forbid me to change my email address, I'd rather not register at all. Link to comment https://forums.phpfreaks.com/topic/135012-updating-passwords-and-dealing-with-lost-passwords/#findComment-703177 Share on other sites More sharing options...
limitphp Posted December 1, 2008 Author Share Posted December 1, 2008 Suppose I can no longer access email I registered with. What I'm supposed to do? Register again? What if your site's TOS forbid having multiple accounts? If you forbid me to change my email address, I'd rather not register at all. Thats a good point. But, if you forget your password and you no longer have the same email address, how do I know you are who you say you are? Whats to stop someone from saying they are your username and request a new password be sent to some other email address? A security question and answer? They can have multiple accounts, thats fine. It'll just make my site appear to have more users....kind of like digg. All the purchases of music on my site will be done with google checkout. So, I assume they'll fill out all their personal stuff through google. Link to comment https://forums.phpfreaks.com/topic/135012-updating-passwords-and-dealing-with-lost-passwords/#findComment-703215 Share on other sites More sharing options...
limitphp Posted December 1, 2008 Author Share Posted December 1, 2008 All good except changing emails Changing Emails shouldn't be done unless absolutely necessary This prevents spam accounting Actually, doesn't using recaptchas at registering prevent spamming? Link to comment https://forums.phpfreaks.com/topic/135012-updating-passwords-and-dealing-with-lost-passwords/#findComment-703220 Share on other sites More sharing options...
Mchl Posted December 1, 2008 Share Posted December 1, 2008 Thats a good point. But, if you forget your password and you no longer have the same email address, how do I know you are who you say you are? Exactly. You don't. Imagine this scenario. I register on a site in december 2008 using my current email account. In march 2009 my ISP gets out of business, and I have to change my email address In january 2010, Eskimo hackers attack your site, and gain access to user database. To avoid them logging with stolen passwords you decide to regenerate passwords for all users and sent them to their registration emails.... oops... Man... and I was so active member of the community... had this nice profile and things... Link to comment https://forums.phpfreaks.com/topic/135012-updating-passwords-and-dealing-with-lost-passwords/#findComment-703255 Share on other sites More sharing options...
gevans Posted December 1, 2008 Share Posted December 1, 2008 Exactly. You don't. Imagine this scenario. I register on a site in december 2008 using my current email account. In march 2009 my ISP gets out of business, and I have to change my email address In january 2010, Eskimo hackers attack your site, and gain access to user database. To avoid them logging with stolen passwords you decide to regenerate passwords for all users and sent them to their registration emails.... oops... Man... and I was so active member of the community... had this nice profile and things... HAHAHA, well said!! Amusing and Intuitive Link to comment https://forums.phpfreaks.com/topic/135012-updating-passwords-and-dealing-with-lost-passwords/#findComment-703257 Share on other sites More sharing options...
cooldude832 Posted December 1, 2008 Share Posted December 1, 2008 The solution is you can change email only be special request. Paypal does it this way Link to comment https://forums.phpfreaks.com/topic/135012-updating-passwords-and-dealing-with-lost-passwords/#findComment-703259 Share on other sites More sharing options...
Mchl Posted December 1, 2008 Share Posted December 1, 2008 Note that you can have more than one email assigned to a paypal profile Link to comment https://forums.phpfreaks.com/topic/135012-updating-passwords-and-dealing-with-lost-passwords/#findComment-703272 Share on other sites More sharing options...
cooldude832 Posted December 1, 2008 Share Posted December 1, 2008 This is true I guess its really a site to site thing. If multiple accounts is a big issue locking down is key If protecting an account is vital locking down is key If contacting the user via email is vital maybe not locking down or allowing mulitple The goal of any type of system is to write it to work for your needs Link to comment https://forums.phpfreaks.com/topic/135012-updating-passwords-and-dealing-with-lost-passwords/#findComment-703283 Share on other sites More sharing options...
limitphp Posted December 1, 2008 Author Share Posted December 1, 2008 Thats a good point. But, if you forget your password and you no longer have the same email address, how do I know you are who you say you are? Exactly. You don't. Imagine this scenario. I register on a site in december 2008 using my current email account. In march 2009 my ISP gets out of business, and I have to change my email address In january 2010, Eskimo hackers attack your site, and gain access to user database. To avoid them logging with stolen passwords you decide to regenerate passwords for all users and sent them to their registration emails.... oops... Man... and I was so active member of the community... had this nice profile and things... So, should i let them change their email address on the myaccount page? I'm confused again. Ok, this is what I'll do: Store encrypted passwords in the database. When they register store a field called security_question and answer. (let them create question and answer). How long should I make the security_question field? 300 varchar? 500 varchar? How should I build the rest of it? On the myaccount page (they have to be logged in to access) should I display their username, name, password, email, but only let them change their password and email? And, then, if they forget their password, have them answer their security question and then send a new password (generate via md5(uniqID)?) to their email address? I'm new to developing all this, so I'm not sure how to set it up. Link to comment https://forums.phpfreaks.com/topic/135012-updating-passwords-and-dealing-with-lost-passwords/#findComment-703298 Share on other sites More sharing options...
cooldude832 Posted December 1, 2008 Share Posted December 1, 2008 All Up to you and your site You seem to have a firm concept of basic logic here so do what you want Link to comment https://forums.phpfreaks.com/topic/135012-updating-passwords-and-dealing-with-lost-passwords/#findComment-703302 Share on other sites More sharing options...
Mchl Posted December 1, 2008 Share Posted December 1, 2008 Re: Security questions. I am not sure if you should let users choose their own questions. That could be possibly the weakest point in your account system, because people are lazy. Majority of questions would be, 'what's my second name' and such. Doesn't take long for someone who knows the user, to break into his/hers account this way. Have a list of 10 predefined questions, that are not too straightforward. (BTW: whenever I have to choose a security question, I choose a random one, and put in my generic security answer (being the name of my dog... which I never had) ) Link to comment https://forums.phpfreaks.com/topic/135012-updating-passwords-and-dealing-with-lost-passwords/#findComment-703320 Share on other sites More sharing options...
cooldude832 Posted December 1, 2008 Share Posted December 1, 2008 Agreed also My User management system sets the default password recovery answer to yes but when you go to change your temp password you must put in a security answer greater than 3 characters long forcing you to change it. Yes I get angry emails from confused ppl everyday but it has helped make ppl change security answers Link to comment https://forums.phpfreaks.com/topic/135012-updating-passwords-and-dealing-with-lost-passwords/#findComment-703342 Share on other sites More sharing options...
limitphp Posted December 1, 2008 Author Share Posted December 1, 2008 Thanks guys. I'll have a list of predefined security questions they can select. I'll just make a list of questions in a security_questions table. So, I guess I'll be updating my register page. My site doesn't really need to be super duper secure. Its basically going to be a site that sells music. Only people will have to use google checkout to buy the music (for now...because its the cheapest solution. So, I won't be storing alot of sensitive data on people....really no sensitive data. I need to get more confidence in building this website. If I make mistakes, screw it, I need to just push forward and get this thing finished. If I've messed up and need help later on, I need to realize I can just come here and get some help. I'll probably be better off for making the mistakes both in syntax and mainly the logical mistakes in design. Link to comment https://forums.phpfreaks.com/topic/135012-updating-passwords-and-dealing-with-lost-passwords/#findComment-703359 Share on other sites More sharing options...
Recommended Posts
Archived
This topic is now archived and is closed to further replies.