It's difficult to tell what is being asked here. This question is ambiguous, vague, incomplete, overly broad, or rhetorical and cannot be reasonably answered in its current form. For help clarifying this question so that it can be reopened, visit the help center.
Closed 10 years ago.
In yii i am creating reset new password functionality. For this purpose user needs to enter his primary email id which he had entered during his registration. After that server will verify this e-mail id and will send security question to him.User will enter answer for that security question.At server side verification of this answer will be done from database. If matching found,password reset link will be get send to that primary email id. So how to implement this functionality in yii framework. Please help me....
You implement this thing like this:
Create a password change page, with a text field for submitting email id.
After user submit email, either check via ajax if email exist in database or not, and update the same page,
OR,
redirect him to same page if email doesnot exist else redirect to another page asking security question, when user submits answer, check whether answer is correct or not, if correct send him the mail with the links of changepassword page.
for checking email is correct or not you can execute following query:
mysql_query(SELECT email FROM user WHERE email = "$email");
where $email is email submitted by user.
if it returns 1 then email exists, else email doesnot found.
Same can be applied for answer check.
Thanks.
Related
The login and forgotten password functions can be used to enumerate valid email addresses on the application, as they return different messages depending on whether or not the emails are registered. Is there a way to avoid this?
This question was asked before: Google Identity Toolkit v3 Email enumeration through reset password functionality but remains unanswered so posting here with the google-oauth tag to see whether it reaches the right people.
I can log in to Stack Overflow automatically because it remembers my old password through facebook I think but that is the same password I need to access my old email where my entire game is lost in time. I can get a confirmation email and change the password to something new but this doesn't help. Is there any way someone, an admin or anyone, here could help me to find a way to view my current password? I spent years on that game, and my hard drives got stolen, and now this.
Thanks so much..
I want to let user to reset password in case he/she forgot his/her password without sending reset code to his/her mail box. Actually I don't want to use emailing reset password system.
Is there any way to let user reset his/her password without using email in secure way?
Is 'security question' using safe?
Or what is safe to use?
The safety of the secure question will depend on the difficulty of the question itself. If you don't want to use the mail() function then you can try either of the following:
You can send an OTP to his registered phone number.
You can use more than 1 secure question to identify the user and then allow him to reset the password. But make sure that the standard of the question is high.
For eg., avoid easy questions like name of your first school, name of the birthplace, etc. These questions can easily be answered by any other person close to the user.
Try questions like- What is the name of the city where you got lost?, What is the name of the teacher who gave you your first A?, etc.
This will be safe as well as help you avoid mail() function.
Safety can be improved with
OTP on mobile.
asking user to validate their personal information like:
email address,
last name,
date Of Birth,
last 4 digits of social security Number. etc..
two layer Reset. send two different codes to (primary and secondary/mail and mobile) and verify both of them.
if you have users registered mobile number. You can use One time password to authenticate users identity before letting him reset the password.
Closed. This question does not meet Stack Overflow guidelines. It is not currently accepting answers.
This question does not appear to be about a specific programming problem, a software algorithm, or software tools primarily used by programmers. If you believe the question would be on-topic on another Stack Exchange site, you can leave a comment to explain where the question may be able to be answered.
Closed 2 years ago.
Improve this question
Most of the websites says "username or password is wrong" whenever we typed wrong password.
Why are they not saying "your password is wrong"?
So that if someone is trying to guess a valid username and password they are not told "Yes, you managed to guess a valid username". That may or may not be a useful thing for any given site if usernames are visible in other ways.
Just ignore the security issue of saying "Your password is wrong".
First we can check whether it is possible to say "Your password is wrong".
I posted this question in our college group and I felt one answer from the group is worth positing here.
A website can say that 'your password is wrong' only if the website is
sure that you typed your username correctly. How do the website know
that you typed your username correctly? There is no way to know that.
The authentication failure may occur in three ways:
You may enter correct username but wrong password.
You may enter correct password but wrong username.
You may enter wrong username and password .
The website process it as given below.
a. If the username is not in database, the website can't say that 'Your username is wrong'. Because the website don't know whether the password you entered is your correct password.So the website can say 'Username or password is wrong.' only.
b. If the username is in database, the website can't say that 'Your password is wrong'.
Because the website don't know whether the username you entered is your correct username. So website can say 'Username or password is wrong.' only.
Apart from security, it may also be a 'lazy' design choice too. Why bother checking seperately if the username is wrong or the password is wrong, when you can just write one query and output whether it was success or not, ultimately the user will know themselves if they got one or the other wrong.
It can also be sure laziness or code cleanliness too. Simple example below.
If( password != submittedpw || username != submittedusername)
{
Print 'username and or password is wrong';
}
The above is much quicker to do than
if (password != submittedpw)
{
Print 'password is wrong';
}
elseif (username != submittedusername)
{
print 'username is wrong';
}
i already have UserController that can create, update and delete user and it is also connected to the database using sql server 2008 .
my question is how do i create a log-in page and at the same time check if the username and password you type is existing on my database and if not redirect to the same page.
hope you could help me i'm a beginner.
much thanks
This question is super broad but overall the process is not really that complicated.
If you already have a controller that can perform the create, update and delete you are 90% of the way there. All you need is code that fetches the user and checks the password they entered against the password stored in the database.
So your login page would have a form that takes a username and a passowrd. I assume you have a create user form? The login form could be somewhat similar. Instead of INSERTING the username and password you just grab the row for the USERNAME and then check the passwords. If they match, great! If not, just return the same view. Post some code so we can give specific examples.