#1
  1. Plays with fire
    Devshed Novice (500 - 999 posts)

    Join Date
    Aug 2003
    Location
    Barsoom
    Posts
    960
    Rep Power
    97

    Create login with expiring passwords


    Hi--

    I'm creating a different login system for a portal and I don't think my brain is back from vacation yet.

    What I have is a one-way hash stored in a db, but if the user can't remember it, I'd like a temp password created that works for one hour only.

    I require a username and password, but can't really remove the password completely since a user could reset someone else's password so I have a temp password created with datetime stamp one hour in the future.

    On the login, how would I check for this? How would I know if the user is trying to login with the temp password or the old permanent one? I can check the datetime stamp and if it's still current, try to match the temp password, but if it has expired do I tell the user to reset it again?



    Thanks for the help.
    “Be ashamed to die until you have won some victory for humanity.” -- Horace Mann

    "...all men are created equal." -- US Declaration of Independence
  2. #2
  3. --
    Devshed Expert (3500 - 3999 posts)

    Join Date
    Jul 2012
    Posts
    3,959
    Rep Power
    1014
    Hi,

    not sure why you're trying to reinvent the wheel ...

    There's an established way of resetting forgotten passwords and many, many tutorials about this: You generate a random reset token, hash it (!) and store it in a separate table together with the current timestamp. Then you send this token to the user by email, preferably within a link ready to be clicked on:

    Code:
    http://yoursite.com/forgot_password.php?token=63d737b572e593b04eedea082621e64d
    On this page, you fetch the token and check if it's valid (exists and hasn't expired yet). If it is, you let the user enter a new password. That's it. Check these notes on which functions to use.

    I think your "temporary password" is rather confusing. First of all, users are used to the standard solution above. Secondly, they might not read your instructions or forget to reset their password. The temporary password will expire, and they'll end up wondering why they can't login.
    The 6 worst sins of securityHow to (properly) access a MySQL database with PHP

    Why can’t I use certain words like "drop" as part of my Security Question answers?
    There are certain words used by hackers to try to gain access to systems and manipulate data; therefore, the following words are restricted: "select," "delete," "update," "insert," "drop" and "null".
  4. #3
  5. Plays with fire
    Devshed Novice (500 - 999 posts)

    Join Date
    Aug 2003
    Location
    Barsoom
    Posts
    960
    Rep Power
    97
    ah, perfect. Thanks. As I said, I still have vacation brain.
    “Be ashamed to die until you have won some victory for humanity.” -- Horace Mann

    "...all men are created equal." -- US Declaration of Independence
  6. #4
  7. Plays with fire
    Devshed Novice (500 - 999 posts)

    Join Date
    Aug 2003
    Location
    Barsoom
    Posts
    960
    Rep Power
    97
    Sorry for one last question on this...

    I'm building this exactly as described, but when I save the hashed token in the db, how would I retrieve it? If I grab token from the URL how would I match it with the right record in the db?

    Sorry for being daft.

    PS--using bcrypt for hashing.
    Last edited by Frank Grimes; April 10th, 2013 at 11:38 AM.
    “Be ashamed to die until you have won some victory for humanity.” -- Horace Mann

    "...all men are created equal." -- US Declaration of Independence
  8. #5
  9. --
    Devshed Expert (3500 - 3999 posts)

    Join Date
    Jul 2012
    Posts
    3,959
    Rep Power
    1014
    Originally Posted by Frank Grimes
    Sorry for being daft.
    Nope, that's a good question. One way would be to pass the user ID along with the token. Since a particular user must never have more than one active token, you can use the user ID to look up the token hash.

    Alternatively, you could generate a random identifier in addition to the secret token -- so you basically generate two tokens. One you store as plaintext, one you hash.
    The 6 worst sins of securityHow to (properly) access a MySQL database with PHP

    Why can’t I use certain words like "drop" as part of my Security Question answers?
    There are certain words used by hackers to try to gain access to systems and manipulate data; therefore, the following words are restricted: "select," "delete," "update," "insert," "drop" and "null".
  10. #6
  11. Plays with fire
    Devshed Novice (500 - 999 posts)

    Join Date
    Aug 2003
    Location
    Barsoom
    Posts
    960
    Rep Power
    97
    Nice. Glad to know I was thinking in the right direction this time.

    Thanks again for your help!
    “Be ashamed to die until you have won some victory for humanity.” -- Horace Mann

    "...all men are created equal." -- US Declaration of Independence

IMN logo majestic logo threadwatch logo seochat tools logo