views:

1170

answers:

2

Hi, I am hoping that there is a standard class/php script that we can use for the "forgot password" functionality. It seems almost every website has one, and I'd like to reduce the development time on it.

It appears that a common approach is:

1) click on Forgot password 2) User receives via email a "reset password" link 3) Click on the link allows typing in "new passowrd" "retype password" 4) life is good

I don't want to do it from scratch, hoping someone who has thought through any nuances can point me to pre-existing code. It would seem that this is a pretty standardized.

All: got some responses, but I'm hoping perhaps someone can recommend a pretty standard class or CMS that meets generally accepted security guidelines....thanks

Thanks.

A: 

You can steal it from a wide variety of frameworks/CMSs. Drupal, Kohana, etc...

Zak
I have been using qcodo which doesn't appear to have that built in...which I thought was odd....
AFG
+3  A: 

I use my own scripts for password resetting.

I create a table to store a user_id, a random key and a time that the password reset initiated:

// query is my own SQLite3 wrapper function which ensures I have a valid database connection then executes the SQL.
// I would imagine small changes will be needed to the SQL for MY SQL.
query("create table reset_password (user_id integer not null default 0, key text not null default '', time integer not null default 0)");
query("create unique index reset_password_user_id on reset_password (user_id)");
query("create index reset_password_key on reset_password (key)");

Then when a password needs to be reset, the following code is called:

// $user_id must be an integer that matches a valid user's ID.
function reset_password($user_id) {
  query("delete from reset_password where user_id = $user_id");
  $key = substr(base64_encode(crypt('', '')), 0, 32);
  query("insert into reset_password values ($user_id, '$key', " . time() . ")");
  // fetch is my own wrapper function to fetch a row from the query.
  $f = fetch(query("select username from users where id = $user_id"));
  // smtp is my own function, you will probably want to use the php mail function.
  smtp(
    "[email protected]", // sender
    $f['username'], // recepient
    "From: The example.com Web Site <[email protected]>\r\n" . // email headers
    "To: {$f['username']} <{$f['username']}>\r\n" . // actual email address <put a nice friendly name in here if you have the the information>
    'Subject: Reset Password' . "\r\n" .
    "\r\n" .
    "Hello\r\n" . // email body
    "\r\n" .
    "A request has been made to reset your example.com web site password.\r\n" .
    "\r\n" .
    "To complete the request, click on the following link within 48 hours of the transmision of this email and follow the on screen instructions.\r\n" .
    "\r\n" .
    /// URL is defined as the root of the URL used in the email, in this example it would be "http://example.com/"
    URL . "index.php?page=reset-password&user_id=" . urlencode($user_id) . "&key=" . urlencode($key) . "\r\n" .
    "\r\n" .
    "Kind regards,\r\n" .
    "\r\n" .
    "The example.com Web Site"
  );
}

When the link in the email is clicked a page is displayed which contains the following:

// form, input_hidden, table, tr, td, label, input_password and input_submit are my own wrappers which return the appropriate HTML with escaped values where required.
echo
  form('reset-password/ok',
    input_hidden('user_id', $_GET['user_id']) .
    input_hidden('key', $_GET['key']) .
    table(
      tr(
        td(label('New Password')) .
        td(input_password('new_password', ''))
      ) .
      tr(
        td(label('Confirm Password')) .
        td(input_password('confirm_password', ''))
      )
    ) .
    input_submit('ok', 'OK')
  );

When the above form is submitted, the following is executed:

// The reset_password_message function displays the message to the user.
if (!isset($_POST['user_id'])) {
  reset_password_message('You must enter a user ID. Please try again.');
} else if (!isset($_POST['key'])) {
  reset_password_message('You must enter a key. Please try again.');
} else if (!isset($_POST['new_password']) || !$_POST['new_password']) {
  reset_password_message('You must enter a new password. Please try again');
} else if (!isset($_POST['confirm_password']) || $_POST['new_password'] != $_POST['confirm_password']) {
  reset_password_message('The new password and the confirmation do not match. Please try again.');
} else if (!$f = fetch(query("select time from reset_password where user_id = " . (integer)$_POST['user_id'] . " and key = '" . escape($_POST['key']) . "'"))) {
  reset_password_message('The user ID and key pair are invalid. Please try again.');
} else if ($f['time'] < time() - 60 * 60 * 24 * 2) { // 60 seconds * 60 minutes * 24 hours * 2 days (48 hours as explained in the email sent to the user above).
  reset_password_message('The user ID and key pair have expired. Please try again.');
} else {
  query("update users set password = '" . crypt($_POST['new_password']) . "' where id = " . (integer)$_POST['user_id']);
  reset_password_message('Your password has been reset. Please login.');
}

You're welcome to use this code instead of "rolling your own", but you will need to make a few changes or add a few functions to make it complete.

Stacey Richards