Forget Password

[Canjucks]

I'm getting errors in the header with no From being present. I'm not sure how to add that. Can someone help? 

 

                $url = $_SERVER["HTTP_ORIGIN"] . $_SERVER["SCRIPT_NAME"] . "?page=forgotPassword&action=resetPassword&auth=" . $user["U_password"] . "&id=" . $user["U_id"] . "";

                $body = "To reset your password please follow the link below: \r\n " . $url;
                mail($user["U_email"], "Password Reset", $body);

            }

 

hours later I find the answer ... well I thought of it just couldn't do it ... this computer geek does competitive sports lol

Anyway just needs a $from line and added to mail() problem solved

[sniko]

Let's not put user passwords in query string (even if hashed). Create a unique token for the reset password with an appropriate timeout - you want this process to have an expiry so you don't get a replay attack for an account takeover.

The issue is leaking password hashes (I hope U_password is a hash and not the raw string) in user browser history (and the request itself). Not a huge attack vector with these games, but let's do best practices.

https://www.php.net/manual/en/function.uniqid.php

 

 

Edited January 31, 2021 by sniko

[Sim]

I always add an extta field in users table actCode. If its set to 0, account is activated.

Regarding using it for reset password, I will email a special url like:

forgotPassword.php?code={actCode}

Once at the page, it would allow user to change password.

 

Other stuff you could do would be like:

forgotPassword.php?code={actCode}&key={encryptedSomething}

 

where encrypted something would be like there username or password or userID. Something unique about user. 

 

Otherwise, someone could go threw forgotPassword.php?code={actCode} 

And start having it cycle threw numbers 1 2 3 4 5 6 7 8 9 10 ect.

 

But usually i would create code like X digits

Code = "";

For(×=0; ×< lemgth of code; ×++)

Num = rand(1,100)

If(num>50)

{

Create random character

Rand(x,y) forget ascii key set off top of my head

Code = code + (random character just created

}

Else

{

Num= rand(0, 10)

Coode = code + (random # just created)

}

Output be something like 44hzn9J5D1M3g3H

[Canjucks]

7 hours ago, sniko said:

Let's not put user passwords in query string (even if hashed). Create a unique token for the reset password with an appropriate timeout - you want this process to have an expiry so you don't get a replay attack for an account takeover.

The issue is leaking password hashes (I hope U_password is a hash and not the raw string) in user browser history (and the request itself). Not a huge attack vector with these games, but let's do best practices.

https://www.php.net/manual/en/function.uniqid.php

 

 

This is the standard approach taken in original code. O hope that @Chris Davies will update the core.... but I will try and update myself if I can

[URBANZ]

i would agree with @sniko this was one of the first things i changed when using GL i will post a full example at some point but i use an extra table also for ip storage i use inet_aton storage for this you can change that data type if you wish if you are not storing ips like i do.

main idea is to store the IP, Agent and hash and check each of them, also with the created value is to check if its longer than 1 hour if it is invalidate the code and make them resend again. 

Edited January 31, 2021 by URBANZ