How to create password reset

[deason]

Hi,

I've used this tutorial to create a functional login page.

 

http://untame.net/2013/06/how-to-build-a-functional-login-form-with-php-twitter-bootstrap/

 

I now need to create a password Reset/recovery page.

 

I've had a go at using http://megarush.net/forgot-password-php/, but this dosn't seem to work and I think its due to the SALT usage in the login script?

 

Hopefully someone can help

[Jayden_Blade]

use a form

do a query on other info in same table as password

if query = their $_POST answers

UPDATE password 

else 

echo answers incorrect

[deason]

Hi Jayden,

 

I am using a form...the hashed password changes on the DB table for the user but i can't authenticate.

[Ch0cu3r]

In step4 of the reset script rather than use an md5 hash.

 

You need to get the salt from the database first (similar to how the login code gets the salt)

Then hash their password with the salt. (refer to the login code to see how this is done)

You then update the users password with the new salted password hash (replace   md5($pass) with the salted password hash)

Edited November 25, 2013 by Ch0cu3r

[deason]

Woah this is way over my head..

 

I have the following script for login code and PHP reset. 

 

Do i need to do a Post query to obtain the SALT?

 

Sorry im a PHP Numpty

?php 
    require("config.php"); 
    $submitted_username = ''; 
    if(!empty($_POST)){ 
        $query = " 
            SELECT 
                id, 
                username, 
                password, 
                salt, 
                email 
            FROM users 
            WHERE 
                username = :username 
        "; 
        $query_params = array( 
            ':username' => $_POST['username'] 
        ); 
          
        try{ 
            $stmt = $db->prepare($query); 
            $result = $stmt->execute($query_params); 
        } 
        catch(PDOException $ex){ die("Failed to run query: " . $ex->getMessage()); } 
        $login_ok = false; 
        $row = $stmt->fetch(); 
        if($row){ 
            $check_password = hash('sha256', $_POST['password'] . $row['salt']); 
            for($round = 0; $round < 65536; $round++){
                $check_password = hash('sha256', $check_password . $row['salt']);
            } 
            if($check_password === $row['password']){
                $login_ok = true;
            } 
        } 


        if($login_ok){ 
            unset($row['salt']); 
            unset($row['password']); 
            $_SESSION['user'] = $row;  
            header("Location: main.php"); 
            die("Redirecting to: main.php"); 
        } 
        else{ 
            print("Login Failed."); 
            $submitted_username = htmlentities($_POST['username'], ENT_QUOTES, 'UTF-8'); 
        } 
    } 
?> 

Then the reset password code

<?php
//file reset.php
//title:Build your own Forgot Password PHP Script
session_start();
$token=$_GET['token'];
include("settings.php");
connect();
if(!isset($_POST['password'])){
$q="select email from tokens where token='".$token."' and used=0";
$r=mysql_query($q);
while($row=mysql_fetch_array($r))
   {
$email=$row['email'];
   }
If ($email!=''){
          $_SESSION['email']=$email;
}
else die("Invalid link or Password already changed");}
$pass=$_POST['password'];
$email=$_SESSION['email'];
if(!isset($pass)){
echo '<form method="post">
enter your new password:<input type="password" name="password" />
<input type="submit" value="Change Password">
</form>
';}
if(isset($_POST['password'])&&isset($_SESSION['email']))
{
$q="update users set password='".md5($pass)."' where email='".$email."'";
$r=mysql_query($q);
if($r)mysql_query("update tokens set used=1 where token='".$token."'");echo "Your password is changed successfully";
if(!$r)echo "An error occurred";
}


?>

[Ch0cu3r]

So you have not learnt how to get data from a database yet?

 

You do know it takes more than just copy and paste skills to learn how to program right? (Didn't mean to sound like an ass)

 

The three steps I have given you should only require about 8 lines of code (4 of which you already have for salting the password).

[davidannis]

A couple of issues that I see:

 

1. You are using sha256 to hash the password in the first script but using md5 in the second script. Even correcting the salt won't fix it.

 

2. This code seems to do the same thing >65,000 times when it only needs to be done once.

            for($round = 0; $round < 65536; $round++){
                $check_password = hash('sha256', $check_password . $row['salt']);
            } 

3. As already mentioned by Ch0cu3r you need to read the salt. Since you have e-mail address you can do it like you did in the first script except modify the query to

        $query = " 
            SELECT 
                id, 
                username, 
                password, 
                salt, 
                email 
            FROM users 
            WHERE 
                email = :email
        "; 

4. Notice in item 3 I am assuming that you'll use PDO to be consistent with the first script. You don't need to, you can use mysqli, but it is a mistake to use mysql (as you do now) because it is long since deprecated. Change email = :email to email='$email' in the line above if you use mysqli.

 

5. You need to salt and hash the password the same way you do in your login script. Assuming you choose mysqli you'll need to change the line:

$q="update users set password='".md5($pass)."' where email='".$email."'";

to

$newpass=hash('sha256',$pass.$row['salt']);
$q="update users set password='".$newpass."' where email='".$email."'";