Menu
I am using the EZ Publish CMS:
From the forgot password page, user enters the email address that they used to register and submits
User receives an email with a password generating link which uses a hash to confirm their identity.
User receives an email with a freshly generated password
User returns to site using the link from their email which takes them to a form that asks for the old password (which was just generated and has been sent to their email) and for them to enter a new password.
From the "forgot password" page, user enters the email address that they used to register and submits
User receives an email with a link to the "enter new password" form
On the "enter new password" form, user is not required to enter old password because identity has already been confirmed by hash and therefore only has to enter the new password.
I am using the EZMBPAEX extension which has the original 4 step process. There doesn't seem to be any documentation or discussion about removing the "email the user a new password" step but my client has a very strict no passwords sent by email policy so I can't flex on this.
Does anyone know where I can find documentation on how to edit this functionality?
I think the file that will need to be edited is located in:/extension/ezmbpaex/modules/userpaex/forgotpassword.php
901
First of All create a function to generate a random string for you, let's say you need to create a random string of 32 caracters, choose any number of caracters you want
Function to generate random code which will be sent by email and added to db
function genRandomString() {
$length = 32;
$characters = "0123456789abcdefghijklmnopqrstuvwxyz";
$string ="";
for ($p = 0; $p < $length; $p++) {
$string .= $characters[mt_rand(0, (strlen($characters))-1)];
}
return $string;
}
Next, create a new table using php myAdmin, a table names forgotten_passes which contain three columns, let's say you already did that
$key = genRandomString(); // assign random code
$assign = $db->query("INSERT INTO `YOUR_DB_NAME`.`forgotten_pass` (`email` ,`randomKey` , `time`)
VALUES ('$email', '$key', CURRENT_TIMESTAMP );");
Next send an email which contain a link to your resetpassword.php page ( the page where user asked to choose a new password and confirm it, but do not forget to assign the generated key to a get variable , that's easy, just when you the link
www.yourdomain.com/pass_reset.php ( ADD ?secretkey=THE_GENERATED_HERE )
so the link sent to the email adresse of the person who need to reset the password should contain something like :
Hello username, to reset your password click on the link below or copy/past it into your browser
The link : http://www.yourdomain.com/pass_reset.php?secretKey=a12s236d5c8d4fkejus10a1s2d4c8741
When user click on the link, he will go to a page which verify his email and its corresponding random key in sql database, if it found that there are really an email and that random kay, then the user is really confirmed it's email, so this page should contain something like below :
<?php
if (isset($_GET['secretKey'])) {
$secretKey = $_GET['secretKey'];
// Check wether it really exist in database
$sql = 'select * from forgotten_pass WHERE email=$The_User_Email and randomKey='$secretKey'';
}
Now, just count the number of rows to see if there are returned data, if there are returned data than the user really connected to its inbox and clicked the link.
Just do the following :
if mysql_num_rows($sql)>0 { echo "Success, ";
?>
// in this part type the html code which displays two inputs text, password
// and confirm password that connect to database and update the user's password
<form method="post" action="passupdate.php">
<input name="password" value =""/>
<input name"confirmedPassword" value=""/>
<input type="submit" value="Save my new password">
</form>
<?php
} else {
echo "Sorry, invalid reset link";
}
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
