PHP Developers Network

A community of PHP developers offering assistance, advice, discussion, and friendship.
 
Loading
It is currently Sat Dec 07, 2019 8:21 pm

All times are UTC - 5 hours




Post new topic Reply to topic  [ 40 posts ]  Go to page Previous  1, 2, 3  Next
Author Message
PostPosted: Wed Nov 20, 2013 12:36 pm 
Offline
Forum Newbie

Joined: Mon Oct 28, 2013 12:19 am
Posts: 16
Nice to know about the password hashing.. I've always used md5 and never knew it might be compromised


Thanks for the great topic, califdon!


Top
 Profile  
 
PostPosted: Wed Nov 20, 2013 2:09 pm 
Offline
Jack of Zircons
User avatar

Joined: Thu Nov 09, 2006 9:30 pm
Posts: 4484
Location: California, USA
Thanks, but your thanks should go to the authors of the tutorial, Celauran and social-experiment. I only encouraged them to consolidate some of their earlier ideas and I published it here as a "sticky" post. Glad it has been helpful to a lot of the users here.


Top
 Profile  
 
PostPosted: Wed Nov 20, 2013 4:01 pm 
Offline
Moderator
User avatar

Joined: Tue Nov 09, 2010 3:39 pm
Posts: 6425
Location: Montreal, Canada
We should probably look at updating this in light of the addition of password_hash() in PHP 5.5.0


Top
 Profile  
 
PostPosted: Wed Nov 20, 2013 4:44 pm 
Offline
DevNet Resident

Joined: Sun Jun 14, 2009 3:13 pm
Posts: 1146
It might be nice to include use of:

*PDO and prepared statements
*ReCaptcha for registration
*Login throttle using ReCaptcha see stackexchange answer: http://stackoverflow.com/questions/2090 ... pts-in-php


Top
 Profile  
 
PostPosted: Wed Nov 20, 2013 7:00 pm 
Offline
Moderator
User avatar

Joined: Tue Nov 09, 2010 3:39 pm
Posts: 6425
Location: Montreal, Canada
I'm not a fan of reCAPTCHA in general, and registration forms in particular I like to keep simple. Email, password, done.


Top
 Profile  
 
PostPosted: Tue Nov 26, 2013 1:33 am 
Offline
Forum Newbie

Joined: Mon Oct 28, 2013 12:19 am
Posts: 16


Top
 Profile  
 
PostPosted: Tue Nov 26, 2013 1:35 am 
Offline
Forum Newbie

Joined: Mon Oct 28, 2013 12:19 am
Posts: 16


Top
 Profile  
 
PostPosted: Sat Dec 28, 2013 1:42 pm 
Offline
Forum Newbie
User avatar

Joined: Sat Dec 28, 2013 11:12 am
Posts: 3
Location: Wagenberg, The Netherlands
Great tutorial. It really helped me out.

What I'm now facing is the following. What is a user forgets his password? I can't, for good reasons, see his password. The only thing I can do is delete his account, and let him register under the same name, email, etc.
How about a secure "forgot password"-page? How do I do this? Or even reset the users password to a standard one, like "welcome"?

Thnx


Top
 Profile  
 
PostPosted: Sat Dec 28, 2013 2:47 pm 
Offline
Jack of Zircons
User avatar

Joined: Thu Nov 09, 2006 9:30 pm
Posts: 4484
Location: California, USA


Top
 Profile  
 
PostPosted: Mon Dec 30, 2013 3:53 am 
Offline
Forum Newbie
User avatar

Joined: Sat Dec 28, 2013 11:12 am
Posts: 3
Location: Wagenberg, The Netherlands
Thnx Califdon.

Most of the registration/login procedure on my website is a copy/paste of the tutorial. So adding an "forgot password" feauture is gonna be a bit of a challenge. I'll try, and see what I can come up with. :D


Top
 Profile  
 
PostPosted: Tue Jan 07, 2014 10:32 am 
Offline
Forum Newbie

Joined: Tue Jan 07, 2014 10:11 am
Posts: 3
Really useful and easy-to-learn tutorial. I followed all of your tips here and applied them in my current project. I have a question though on Forgotten Passwords.
My project is OFFLINE - units are connected only thru LAN - so I cannot use the Send to Email approach.
One solution I can think of is allow the Administrator to see user details such as names, usernames, and passwords.
Another is to send notifications to the client unit thru LAN. But I'm still a novice to PHP,Javascript and others so I don't know how to do it.

So how do I decrypt or un-hash the passwords so I can echo it in a textfield?
Any advice or suggestions will be much appreciated..
Thanks in advance!!! :D


Top
 Profile  
 
PostPosted: Tue Jan 07, 2014 1:24 pm 
Offline
Jack of Zircons
User avatar

Joined: Thu Nov 09, 2006 9:30 pm
Posts: 4484
Location: California, USA


Top
 Profile  
 
PostPosted: Tue Jan 07, 2014 4:01 pm 
Offline
DevNet Master
User avatar

Joined: Sun Feb 15, 2009 12:08 pm
Posts: 2794
Location: .za
the problem with allowing administrators to see passwords is that they have to be stored as plain text; i'm sure you trust your sysadmin 100% but if someone else got access to his computer / or got hold of his login credentials they'd own the system and can access any other account they wish to.

Califdon makes a good suggestion about having the user requesting a password in person; because there is no way to send the password, this seems to be the most secure way. Something to note in a case like this is that the user has to update to a new password ASAP to keep their accounts secure.


Top
 Profile  
 
PostPosted: Tue Jan 07, 2014 4:46 pm 
Offline
Moderator
User avatar

Joined: Tue Nov 09, 2010 3:39 pm
Posts: 6425
Location: Montreal, Canada
Maybe this is getting unnecessarily complex, but what about adding a temporary password field? If an admin updates a user's password, that hash is written to the temporary password field. Logins can then check against the actual password (in case the user remembers) or the temporary password to grant access. If the temporary password was used, the user is redirected to a page forcing them to reset their password, at which point the temporary password field is emptied?


Top
 Profile  
 
PostPosted: Wed Jan 08, 2014 12:31 am 
Offline
Forum Newbie

Joined: Tue Jan 07, 2014 10:11 am
Posts: 3
Thanks a lot for the replies guys!!! By the way, I'm an IT student and I'm still learning my ways to PHP, so a big thanks for the new insights.
I'm gonna go with califdon because it seems to be more reliable and practical, but still thank you to celauran..might consider your suggestion in my next projects.


Top
 Profile  
 
Display posts from previous:  Sort by  
Post new topic Reply to topic  [ 40 posts ]  Go to page Previous  1, 2, 3  Next

All times are UTC - 5 hours


Who is online

Users browsing this forum: No registered users and 1 guest


You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot post attachments in this forum

Jump to:  
Powered by phpBB® Forum Software © phpBB Group