Features of reset password functionality (one-click, one-use, 24 hours, ???) - passwords

We're setting up a feature to enable users to reset their password when they can't get access ot their account. We ask for their email address (which they use for logging into the site), send them an email with a unique link.
The questions are:
Should the link expire on first-click or should the link expire on first-use (ie, they reset their password successfully)?
Should the link have 24 hour validity (or something similar)?
Should the user be logged in after he clicks that link?

The link should expire after the password is changed. If you expired the link on the first click this can cause problems. Let's say I've got bad internet connection, and the page didn't load completely to my browser. I reload the page and it says link is expired. I wouldn't be happy user to see that.
Yes, you should limit the link to some reasonable time. 24 hours looks reasonable enough. If you don't limit the link lifetime, first of all you will have to store the generated id forever, secondly the longer you keep this link active the higher probability that link will be stolen by attacker, which will lead to stealing account.
You should let user in only after user changes his/her password. If you just log them in, they probably will decide that they don't have to change password anymore. This way they can keep logging into the system forever without ever changing/knowing their password.

The link should expire after they have reset their password successfully. If somehow the user ended up needing guidance on a password reset and wanted to return later, they should be able to.
That being said the reset should expire eventually, 48 hours?
Yes they should be logged in after a password reset, otherwise there is another frustrating step in the way of your user doing what they came to do on your site.

Related

Why is the User verification required?

I am very curious to know some of the points regarding registration and login related points as a developer points of view. Please see below the steps for any online account which is publicly open for all,
CREATE USER ACCOUNT : Insert the data entered by user along with a column activate which default value is 0
SEND A LINK TO ACTIVATE : a link has been sent to user email at the time of registration
ACTIVATE THE ACCOUNT : user clicks over the link and the link is verified and update the column 'activate' with value 1
Why to sent a link & verifying is necessary which I supposed that is not utmost required. I asked to clients why u want such verification and i get the answer almost same e.g. checking the authenticity of the user and it'd be helpful to stop the duplicity of the user.
but practically at the time of user login, i suppose it is useless to verify each time the activate column along with password for every user.
I would appreciate if u explain the points which is very important regarding my concern.
This is really a slippery slope, but there are reasons. Obviously spam users will try to create accounts as quickly as possible, for spam reasons. Email and captcha verification will handle this.
Another is the issue of clumsy or accident-prone users that will forget their passwords, which can be worked around by email reminders/resets. Sadly, users may try to add fake email addresses(or mistyped ones) and lose access to their accounts, requiring admin intervention. Simple verification can force users to get their account into a self-rescuable state before adding any data.

how login works?

Well, you type username and password in form, hit "OK" button. Then data going to server side and check users database if that user is existed. Then it return user id. And what next?
That data is saved in cookies?
Does it mean, that with every clicked link, site login you to website again?
I mean,
you click some link on site
browser redirect you to that page
site checks your cookies
site grab username and password from cookies
site checks is that data is valid (via connecting to database)
show page to you
Is that correct?
User enters credential.
System validates credential.
Upon successful authentication, server saves user object into session.
System grabs user info from session.
System displays webpage.
Tadaa!! :)
UPDATE
To add a little more...
User visits the secured webpage.
System checks if session contains a user object.
If user object exists in session, allow user through to visit the page.
If user object doesn't exists, redirect user to login page.
You don't need to store user password in the session. In fact, it is highly discouraged. Checking to make sure the user object exists in the session is sufficient.
When the user clicks the logout page, then proceed to invalidate the session... that's it. :)
Almost correct. You rarely go to the database with every request. You usually set a cookie with a expiry date and save the user session and info in memory. So every time a request is made, if the user is not authenticated, you authenticate him, generate and send him a cookie with, say, 5h expiry. So, in the next 5 hours, whenever a request comes in with that cookie, you trust that the user is an authenticated, valid user and you don't have to check the database.
It's not how every site does it nor it is the only way to manage session and cookies but I think it is the most widely used.
You should probably use sessions, but that's pretty much the gist of it. That way the data doesn't accidentally persist.
I mean, for my simple site at home, that's how I do it. But it's still locally hosted, so the security is guaranteed to be crap.
Oh, and no need to check with the database whenever you click on another link -- too much time wasted.
Typically, an application takes advantage of the session that is established between the browser and the web server, and makes a note that that session is "authenticated". "session" is a built in feature of HTTP. If the browser is closed, or after a certain period of time passes, the session is automatically closed. If the user does an explicit logout, the application marks the session as not-authenticated.

Why should we make account activation/password reset links expire after some time?

Would there be any big issues if they never expire?
Somebody forgot his password and requests to reset his password, an email with the password reset link is sent to him.
He then suddenly remembers his password and so he simply ignores the password reset email. But after a few days, he forgot again. Since he already has a password reset email in his mailbox, he simply clicks on that link to go back to the website to reset his password.
This seems ok, so why should we make account activation/password reset links expire after some time?
What if their email account was compromised. The attacker then sees all these "password reset" links and clicks through them further compromising more accounts. Among them your service which may use Real Money or Credit Card information.

Should password reset pages automatically authenticate users?

Many lost password workflows usually result in a page which is reached by a temporary link emailed to the user. This link then takes them to a page that asks for a new password.
Upon entering the new password should a user be forced to logon manually, or should the password reset page authenticate the user automatically which would reduce the number of steps and thus complexity of the process for the end user?
I often encounter password reset pages that make me reset my password and then login which feels like I'm logging in twice for no good reason.
I quite like drupal's method: The user gets sent an email with a link in it which will log them on once; upon logging in with it they are given the opportunity to change their password.
I don't know of any significant advantage to forcing the user to re-enter the password that they just entered twice. If someone does, I'd be interested to hear about it.
You should make it auto login. Don't see why you would make the user login.
If it's because of bot protection, just add a captcha when the user logins using the link.

How do I prevent dual Login of my users in my web application

how do I prevent my users for more than one simultaneous login per account. I am using Vb.Net SQL.
Just coming from a 'web programmers' point of view, there is one really simple way:
You have to use some sort of central session system, where a Cookie on the user's browser has a hash, or some unique key that is also stored in the database. One each page request, or at set intervals, you check if that hash exists in the database.
Then, whenever you have a user log in, you delete any hashes that are tied to that user in the database, and then you create a new one for the user logging in.
What happens is if a user logs in, and you delete existing hashes from the database, then the other user will be logged out when you go to check for their hash in the database.
Not VB-specific, but: when the user logs in, keep track of the fact they are logged in. You can keep this in a cookie (watching out for the fact that a cookie can be tampered with.) You can keep track of it in a session variable. Or you could keep a boolean field in the database, "is_logged_in".
Then, when the user attempts to log in, you can check to see if they've already done so. If they're already logged in, the script might just return them to the home page (provided they used valid credentials. Otherwise a rogue user could type a username but leave the password blank, and depending on the behavior of your program, could see if a user was logged on at that specific time.)
Also, it is common that when someone is logged in, the webpage itself replaces the "Login" link with some text that says "Welcome, rascher!" and maybe links to their profile or preferences page.
Edit: Also remember to set is_logged_in (no matter how you track it) to "false" if they log out. It might also help to time this out - say, when the user closes the browser, or after "n hours" of inactivity (though that can be really annoying.) It will depend on how long people are generally logged into the system. Also note that someone might log in on their home computer, stay logged in, and then try to log in to the same place from work or their iphone. You might could look at ways of dealing with this (if the IP address is different than the current login, then log the other person out? Or something.)