I've got database with users and i need to deactivate accounts. When user try to login, wordpress should send new activation mail and ask for new password.
How can i make it?
I was try to delete password from database and set user_status to 1, but it's not working :/
Any ideas? (help please)
Activation / desactivation is not a native feature of Wordpress.
You can use some plugins like this one : http://wordpress.org/extend/plugins/wp-approve-user/
After this you disapprove all users and you can make a PHP script which reset all the password and send the new one to the registered mail.
Encoding of the password is in MD5, check this : codex.wordpress.org/Resetting_Your_Password
Related
I have my own Users page in my application where user Admin can create a new user.
I do not want to let the user sign up by himself, but have the admin of the system add this user.
What do you think the flow for that should be ?
I thought about:
create a new user with username and temp password in the users page.
The user gets an email and presses a link to confirm the email.
The user goes to the login screen of my application and inserts the username and temp password.
the login page changes to Change password so the user will insert the password and confirm the password for him.
when pressing login the user logins to the system.
I cannot find a best practice for adding a new user from a built-in users page in the app.
Do you think my flow is reasonable?
Do you have any code that I can use for that?
This is pretty close to the flow which Cognito has for admin-created users by default when using the Amplify UI Authenticator component. The only difference is that the temporary password is sent to the user via email, so the admin never needs to see it.
To achieve this, you need to use the AdminCreateUser action. The way you do this will vary depending on the library you're using to communicate with Cognito. If it's Python, you can use boto3. If it's JS, you can use the AWS JS SDK. (Sample code in this GitHub comment.)
It's not required to use Amplify UI, you could write all the pages yourself. But it works well with very little effort and looks quite professional. So it should be the first thing you try. Here's another answer providing sample code for React.
I would like to ask some questions about password security. In my software the admin can create a new user setting the password and the username. I believe sending the password in plain text in an email is not a very good idea, so I’m thinking about sending a link that redirect the user to a page where they can set up their password. This link should expire after few hours as well. On my login form I’ve also have the option “forgot password” how can I prevent that a user doesn’t use it until they create the new password? How would you do it?
A password reset link is technically exactly the same as a registration link, both are relying on the "fact" that only the owner of the email address can read the link. So there is no reason to prevent a password reset when the user did not yet login.
The usual workflow is slightly different though, usually the user makes the first contact with the site and on the register page (s)he is asked to enter a password.
Disclaimer: This is more of an Auth0 Lock question--there isn't an "Auth0-Lock" tag yet, if someone with 1500+ rep wants to create one.
Anyone know how or if there is a way to make it so Lock does not show the email/username and password fields on the login tab, as well as the email, username, and password fields on the Sign Up tab?
I figured it out. The search results from Auth0's site took me to old documentation.
Solution:
the OPTIONS object you can pass into the lockProvider accepts a property called "allowedConnections", which is an array of string values. I just had to list the connection options I wanted to be ALLOWED rather than letting it show all the connections I have available for the app.
Documentation for Lock v10:
https://auth0.com/docs/libraries/lock/v10/customization#allowedconnections-array-
The follow allows users to log in but not to sign up with a username/password:
manage.auth0.com
Connections
Database
Username-Password-Authentication
Settings
Disable Sign Ups
I am building an MVC4 app in which users will be registered by a site admin. The site admin will enter everything but the password of course. I then generate a token and send via email for them to set their password. However, I don't see a way to create a user without a password. I can either randomly generate one or assign one in the code. What is the best way to handle not having a password at account creation?
EDIT:
I used Membership.GeneratePassword for generate the password when I created the account.
Create a random password and allow them to change once the account is confirmed. Solves a number of problems.
I have been looking for the past few hours on how to user the phpBB login script on a custom site. I think I'm just not searching for the right things.
A while ago, I created a phpBB site and have over 900 members registered through phpBB. I am currently face-lifting this site and redoing the user registration along with all of the other custom code I have.
My problem is, I want the users to be able to log in as usual, though I want to input them into my new database so everything can run smoothly. I mainly need their username, password and old ID#, but I don't know how to use phpBB's password authentication or where to find it
The statement needs to look something like this:
On Login, grab username and password variables:
if the username is not in MY database, check phpBB database.
If the username is in phpBB database, check to see if the password is correct **(This is the part I don't know how to do)**
If the password is correct, input the username, user ID and the password (encrypted my way) into MY database
Login
If the password is incorrect - error
if the username is NOT in phpBB database - continue
if the username is not in MY database - input username and encrypted pass into my DB
login
Where can I find a script to authenticate the phpBB user's passwords? I don't care how the script is done, I know that's a secret, I just need to be able to authenticate passwords so that I can make sure it's the same user
I do have access to the phpBB database, I just need a way to authenticate their password
I would rather delete the quesion, but here's the answer:
Check here: http://sunnyis.me/blog/secure-passwords/
and when you download the PasswordHash.php, change all of the $P$ to $H$. It will work. Strange how it creates a password, every time it creates, it's different. But the CHECK part of it makes sure it checks it correctly, no matter what hashed pass it creates.