| Forum Home | ||||
| Press F1 | ||||
| Thread ID: 105310 | 2009-11-27 01:56:00 | "Drop-in" PHP / MySQL Username / Password auth system? | Chilling_Silence (9) | Press F1 |
| Post ID | Timestamp | Content | User | ||
| 834048 | 2009-11-27 01:56:00 | Hi all, I'm writing a website for myself, and right now I've written a username / pass system (I generate the users a "safe" pass and email it to them), except the problem I have is storing them in a way that's easily retrievable. Right now I don't have any form of database setup, so if a user forgets their password they have to email me to get it re-sent. I'd like a way for it to be re-sent online if possible. Similar to how there are drop-in CAPTCHA scripts, does anybody know if there's something out there like that which I can easily integrate? I basically just want a way of storing the Username / Pass / Email Address & Name (And possibly date registered) of the person in a database, then a way of sucking it back out again so I can send an email to their address with the username & password that they've forgotten. Thanks Chill. |
Chilling_Silence (9) | ||
| 834049 | 2009-11-27 10:52:00 | I wrote from scratch a password system, and a self reset system. Basically email address is login name. Password is stored in database in encrypted format. I use MD5 with a seed. If user forgets password then they enter email address and then a reset token is sent to the email address and the current password is reset. The reset token is stored in a table along with the internal user id (The Reset token is a string tacked on to the end of a url e.g. www.yourdomain.com). The landing page then checks the token exists and then forces the user to enter a new password and verifies it. It may not be the most secure but it will do for my site. So that's basically it. There are plenty of classes and code samples out there if you don't want to formulate your own. Google can help you here. |
HAL9000 (12736) | ||
| 834050 | 2009-11-27 21:12:00 | Only thing is my coding skills are pretty poor. I've got it tying in with poptop so first the submission script checks to make sure their username is "safe". Then it generates them a "safe" password that's not too long or has funky chars or anything that might break the config file that poptop uses for vpn auth. Ideally what I'm after is just a way of saving their username / pass / email, and then a single "query" that I can run to search for a persons address and then provide me with the password of that email address if the email is in the database, so I can then have it automatically email it back off. Again, not the most secure, but it'd work :D ..but yeah my main issue is I can't really code to save myself, I'm amazed I even managed to get it this far, but SQL is a bit beyond me at this point in time :-/ |
Chilling_Silence (9) | ||
| 834051 | 2009-11-27 21:39:00 | I learnt at lot of my skills by looking at other code and just doing. One of thie things I have come to agree with is that it is better not to store the password in such a way that you can email them back to the user if they forget it. If you do then you have an issue if your database gets compromised in some way as all users details will be accessible. Remember users often use the same password for email, internet banking and so on. To me it appears that the generally accepted way of storing password is to encrypt them (MD5, SHA, etc) in the database and the the login process compares the users input with the stored encrypted password. psuedo PHP code would be something like $inputpassword = encryption method($_POST["password"]); $storedpassword = query database for password field where useremail = $_POST["email"]; if (count(results in $storedpassword) == 1 && $inputpassword == $storedpassword) { //Username exists only once and input and stored passwords match //successful authentication process } elseif (count(results in $storedpassword) < 1) { //No such email address error process } elseif ($inputpassword != $storedpassword) { //Invalid password process } This is very a simplistic example and also assumes that only one instance of an email address is permitted and is used as the primary login id. I detailed the password reset process earlier. |
HAL9000 (12736) | ||
| 834052 | 2009-11-28 03:10:00 | Ah but the login isn't to the website, it's through poptop (pptp vpn daemon). I'm not worried about users having each others passwords really, if it came down to it, as the system blocks international users and it's quite well locked down anyways in terms of ports allowed through it, traffic, originating IP's etc ;) Unfortunately I don't see any other real way of doing it aside from storing them in the database, unless I do something like run each through a base64 converter or something that's reversible when I need to email out the password to the forgetful user? |
Chilling_Silence (9) | ||
| 1 | |||||