13 replies to this topic

[Jelmer]

Well, I've created more or less a snippet that does the following:

- Asks for the users Username and Email address
- Optionally checks a CAPTCHA code (recommended)
- Verifies that this user exists
- Creates a random new password
- Mails the new password to the user
- Saves the new password to the DB

It's not perfect yet since my domain seems to refuse all the mail created by this snippet. So if someone could clean up the mail code, I'd be happy!

The code still contains a lot of debugging code, I'll remove it if we're sure it works for everyone. I'd like to have some feedback on this.

It would be nice to have it finished and perfected ASAP, because it's a neat function for Eto.

HINT: DON'T USE THIS ON YOUR ONLY ADMIN ACCOUNT, USE A TESTING ACCOUNT!

UPDATE AUGUST 13:
- Added language variables
- Added some configuration
- Now final (1.0)

Attached Files

•  retrieveLostPassword.php   7.91K   46 downloads

Edited by Jelmer, 13 August 2006 - 10:43 AM.

[Bacteria Man]

I just tested your snippet and it works exactly as described. Nice work.

I have a couple of suggestions.

1) Provide an option to send the current or new password. Example: newpass=1 (yes, default)
2) Restrict access to unathenticated users only (just to keep things tidy.)

A short description on how this is to be implemented would be useful. I suspect it's best suited to appear on a separate page using a template that doesn't not include the authenticate_visitor snippet. (It makes no sense for the user to see the login form when they've forgotten their password.)

John

[Jelmer]

Well sending the old password is not going to work, since the passwords are stored encrypted in the database. The only option is to compare them to the same encrypted string, there's no way (I know of) that allows you to decrypt it back...

[Bacteria Man]

Oh, right. I believe the password is saved as MD5, which is a one-way hash.

[Jelmer]

Exactly. I'll have a go at nr2 tomorrow...

[Jelmer]

I didn't add the access to unauthenticated users only, because I can't see the benefits.
I cleaned up the code and added language variables. I call it final, unless someone finds something!

Updated version in the first post!

[Bacteria Man]

My suggestion was to block access to AUTHENTICATED users so someone can't request a new password for themselves while logged in. This is not essential, but I like to keep people out where they don't belong.

[Dean]

so how would you distinguish which users could change their password then?

[Jelmer]

That's another snippet Dean. Changing a password to a self-chosen one is only for authenticated users.

[Dean]

That's what I'm saying - Bacteria Man wanted to block Authenticated users from changing the password, and I couldn't work out why he'd want to do this...

[Jelmer]

I understood that Bacteria Man wanted to block AUTHENTICATED users from requesting a new random password. That makes sense bacause this feature is usualy for users who have forgotten theirs and therefore are not logged in.

Well Bacteria Man and I seem to understand each other anyway, so let's move on

[Dean]

Ah gotcha, I understand now

[cathode]

Does anyone have this file anymore? It's been eaten up by the old snippet monster...

[tomariwa]

cathode, on May 13 2008, 07:01 PM, said:

Does anyone have this file anymore? It's been eaten up by the old snippet monster...

Here you go!

Attached Files

•  retrieveLostPassword.txt   8.48K   14 downloads

Edited by tomariwa, 13 May 2008 - 04:57 PM.