[PHP] user password managment
Does anybody have any tips or links for creating a system for managing user's passwords. I want to make it so that when a user is created, an email is sent with a link that allows them to set their password. The link should only work for a set amount of time. I have ideas for implementing something, but I have a hunch tat there is some code already out there for this. Does anybody know of any? Thanks!
Re: [PHP] user password managment
Does anybody have any tips or links for creating a system for managing user's passwords. I want to make it so that when a user is created, an email is sent with a link that allows them to set their password. The link should only work for a set amount of time. I have ideas for implementing something, but I have a hunch tat there is some code already out there for this. Does anybody know of any? Thanks! Use the sample code in http://php.net/md5 to create a hash, and store that in your database with a datetime value of now(). The hash will be quite unpredictable by the Bad Guys. Send that hash as part of the link in your email, and compare that hash to yours in the database. To make it even harder to bust, store the http://php.net/crypt *of* the md5 hash value, so that the actual value in the database is not what they need to send, but you can crypt what they send to see if it is the correct value. That way, if somebody gains access to read your database, the values stored there do them no good. Course, it's more likely that somebody will gain access to the recipient's email, but there is little you can do about that in today's environment. Digitally-signed and secure email is nowhere near pervasive enough. An alternative is to send them a randomly-generated password, storing only the crypt() of it, of course, and then force them to change the password on first login. Since some email clients have a tough time getting long URLs, this can be less intensive on your Support/Help resources (your time) and it's really not a lot less secure than the long URL method. -- Like Music? http://l-i-e.com/artists.htm -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] user password managment
i have changed the script around a bit, now it actually shows something, but
it doesnt alternate.
$thisRow = 0;
$query = mysql_query(SELECT * FROM security_images ORDER BY ID DESC,
$conn);
while($gt=mysql_fetch_array($query)){
extract($gt);
if($thisRow % 2 == 0){
$backgroundColor = #CC;
}else{
$backgroundColor = #FF;
}
?
tr bgcolor=?PHP echo($backgroundColor); ?
td?PHP echo($ID); ?/td
td?PHP echo($ipAddr); ?/td
td?PHP echo($area); ?/td
td?PHP echo($insertdate); ?/td
td?PHP echo($referenceid); ?/td
td?PHP echo($hiddentext); ?/td
/tr
?PHP
}
$thisRow++
-Brad
Richard Lynch [EMAIL PROTECTED] wrote in message
news:[EMAIL PROTECTED]
Does anybody have any tips or links for creating a system for managing
user's passwords. I want to make it so that when a user is created, an
email is sent with a link that allows them to set their password. The
link should only work for a set amount of time. I have ideas for
implementing something, but I have a hunch tat there is some code
already out there for this. Does anybody know of any? Thanks!
Use the sample code in http://php.net/md5 to create a hash, and store that
in your database with a datetime value of now(). The hash will be quite
unpredictable by the Bad Guys.
Send that hash as part of the link in your email, and compare that hash to
yours in the database.
To make it even harder to bust, store the http://php.net/crypt *of* the
md5 hash value, so that the actual value in the database is not what they
need to send, but you can crypt what they send to see if it is the correct
value. That way, if somebody gains access to read your database, the
values stored there do them no good.
Course, it's more likely that somebody will gain access to the recipient's
email, but there is little you can do about that in today's environment.
Digitally-signed and secure email is nowhere near pervasive enough.
An alternative is to send them a randomly-generated password, storing only
the crypt() of it, of course, and then force them to change the password
on first login.
Since some email clients have a tough time getting long URLs, this can be
less intensive on your Support/Help resources (your time) and it's really
not a lot less secure than the long URL method.
--
Like Music?
http://l-i-e.com/artists.htm
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
RE: [PHP] user password managment
if($thisRow % 2 == 0){
Should be: if(($thisRow % 2) == 0){
Regards,
Justin
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
