Canjucks Posted January 31, 2021 Share Posted January 31, 2021 I'm getting errors in the header with no From being present. I'm not sure how to add that. Can someone help? $url = $_SERVER["HTTP_ORIGIN"] . $_SERVER["SCRIPT_NAME"] . "?page=forgotPassword&action=resetPassword&auth=" . $user["U_password"] . "&id=" . $user["U_id"] . ""; $body = "To reset your password please follow the link below: \r\n " . $url; mail($user["U_email"], "Password Reset", $body); } hours later I find the answer ... well I thought of it just couldn't do it ... this computer geek does competitive sports lol Anyway just needs a $from line and added to mail() problem solved Quote Link to comment Share on other sites More sharing options...
sniko Posted January 31, 2021 Share Posted January 31, 2021 (edited) Let's not put user passwords in query string (even if hashed). Create a unique token for the reset password with an appropriate timeout - you want this process to have an expiry so you don't get a replay attack for an account takeover. The issue is leaking password hashes (I hope U_password is a hash and not the raw string) in user browser history (and the request itself). Not a huge attack vector with these games, but let's do best practices. https://www.php.net/manual/en/function.uniqid.php Edited January 31, 2021 by sniko 1 Quote Link to comment Share on other sites More sharing options...
Sim Posted January 31, 2021 Share Posted January 31, 2021 I always add an extta field in users table actCode. If its set to 0, account is activated. Regarding using it for reset password, I will email a special url like: forgotPassword.php?code={actCode} Once at the page, it would allow user to change password. Other stuff you could do would be like: forgotPassword.php?code={actCode}&key={encryptedSomething} where encrypted something would be like there username or password or userID. Something unique about user. Otherwise, someone could go threw forgotPassword.php?code={actCode} And start having it cycle threw numbers 1 2 3 4 5 6 7 8 9 10 ect. But usually i would create code like X digits Code = ""; For(×=0; ×< lemgth of code; ×++) Num = rand(1,100) If(num>50) { Create random character Rand(x,y) forget ascii key set off top of my head Code = code + (random character just created } Else { Num= rand(0, 10) Coode = code + (random # just created) } Output be something like 44hzn9J5D1M3g3H Quote Link to comment Share on other sites More sharing options...
Canjucks Posted January 31, 2021 Author Share Posted January 31, 2021 7 hours ago, sniko said: Let's not put user passwords in query string (even if hashed). Create a unique token for the reset password with an appropriate timeout - you want this process to have an expiry so you don't get a replay attack for an account takeover. The issue is leaking password hashes (I hope U_password is a hash and not the raw string) in user browser history (and the request itself). Not a huge attack vector with these games, but let's do best practices. https://www.php.net/manual/en/function.uniqid.php This is the standard approach taken in original code. O hope that @Chris Davies will update the core.... but I will try and update myself if I can Quote Link to comment Share on other sites More sharing options...
URBANZ Posted January 31, 2021 Share Posted January 31, 2021 (edited) i would agree with @sniko this was one of the first things i changed when using GL i will post a full example at some point but i use an extra table also for ip storage i use inet_aton storage for this you can change that data type if you wish if you are not storing ips like i do. main idea is to store the IP, Agent and hash and check each of them, also with the created value is to check if its longer than 1 hour if it is invalidate the code and make them resend again. Edited January 31, 2021 by URBANZ 3 Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.