Jump to content
MakeWebGames

Recommended Posts

I'm getting errors in the header with no From being present. I'm not sure how to add that. Can someone help? 

 

                $url = $_SERVER["HTTP_ORIGIN"] . $_SERVER["SCRIPT_NAME"] . "?page=forgotPassword&action=resetPassword&auth=" . $user["U_password"] . "&id=" . $user["U_id"] . "";

                $body = "To reset your password please follow the link below: \r\n " . $url;
                mail($user["U_email"], "Password Reset", $body);

            }

 

hours later I find the answer ... well I thought of it just couldn't do it ... this computer geek does competitive sports lol

Anyway just needs a $from line and added to mail() problem solved

Link to post
Share on other sites

Let's not put user passwords in query string (even if hashed). Create a unique token for the reset password with an appropriate timeout - you want this process to have an expiry so you don't get a replay attack for an account takeover.

The issue is leaking password hashes (I hope U_password is a hash and not the raw string) in user browser history (and the request itself). Not a huge attack vector with these games, but let's do best practices.

https://www.php.net/manual/en/function.uniqid.php

 

 

Edited by sniko
  • Like 1
Link to post
Share on other sites

I always add an extta field in users table actCode. If its set to 0, account is activated.

Regarding using it for reset password, I will email a special url like:

forgotPassword.php?code={actCode}

Once at the page, it would allow user to change password.

 

Other stuff you could do would be like:

forgotPassword.php?code={actCode}&key={encryptedSomething}

 

where encrypted something would be like there username or password or userID. Something unique about user. 

 

Otherwise, someone could go threw forgotPassword.php?code={actCode} 

And start having it cycle threw numbers 1 2 3 4 5 6 7 8 9 10 ect.

 

But usually i would create code like X digits

Code = "";

For(×=0; ×< lemgth of code; ×++)

Num = rand(1,100)

If(num>50)

{

Create random character

Rand(x,y) forget ascii key set off top of my head

Code = code + (random character just created

}

Else

{

Num= rand(0, 10)

Coode = code + (random # just created)

}

Output be something like 44hzn9J5D1M3g3H

Link to post
Share on other sites
7 hours ago, sniko said:

Let's not put user passwords in query string (even if hashed). Create a unique token for the reset password with an appropriate timeout - you want this process to have an expiry so you don't get a replay attack for an account takeover.

The issue is leaking password hashes (I hope U_password is a hash and not the raw string) in user browser history (and the request itself). Not a huge attack vector with these games, but let's do best practices.

https://www.php.net/manual/en/function.uniqid.php

 

 

This is the standard approach taken in original code. O hope that @Chris Davies will update the core.... but I will try and update myself if I can

Link to post
Share on other sites

i would agree with @sniko this was one of the first things i changed when using GL i will post a full example at some point but i use an extra table also for ip storage i use inet_aton storage for this you can change that data type if you wish if you are not storing ips like i do.

Capture.PNG.0afbe4c240f6293ae7293358dd8bb917.PNG

main idea is to store the IP, Agent and hash and check each of them, also with the created value is to check if its longer than 1 hour if it is invalidate the code and make them resend again. 

Edited by URBANZ
  • Like 3
Link to post
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
×
  • Create New...