Few security questions.

I am trying to make custom login and forgot_email pages.

So far they kind work.

This is how it all works, so you understand what I have.

1. The admin is the only person who puts users into this private site. On this form, there is a hidden field that inserts a random password, SHA1, every time the form is submitted. This works.

2. At this point I would like to have an email sent to the user that was just entered into the DB... not sure how to do this yet.

3. The login form is email / password, and the password is SHA1. This works.

4. If a user forgets password, I would like to generate a new one and email it. This kinda works.

I followed this tutorial: 07_send_password.swf But I run into an issue, I don't have an option to encrypt the new one. In the Update records Wizard, I only have data types of:
text, numeric, date, date ms access, and various checkbox types.

How can I go about emailing the unencrypted password, and also, at the same time, encrypt it into the DB?

Once I understand how to do this, I can then apply the same functionality for step 2.

thanks

While I'm at it, I noticed the cookie is not encrypted, it clearly shows the password. This cant be good, huh?

the way password encryption works is that the plain text password is sent as part of the form post to the server. once at the server, the server converts the plain text password to the encrypted password.


you can include the plain text password in your email by using the binding for the password form element.

for storing the password in the database, you need to use the DataAssist insert or update behaviors, the dreamweaver insert ands update behaviors wont have the encryption formatting options.

  While I'm at it, I noticed the cookie is not encrypted, it clearly shows the password. This cant be good, huh?  

yes, this is the way password encryption works. password encryption is only one part of protecting passwords. It is really only useful to protect the password if someone gains access directly to the database.

the encryption happens on the server.

when the login form posts, the plain text version of the password is sent to the server, once at the server, it is encrypted, then used to compare against what is in the database.

to really protect the passwords, you should be using and SSL Layer on your protected pages.

ok I am making some progress. I have step 2 working, but my question is, in the email that I get from this, It has every row for the db table listed. Is there a way to only insert specified rows into the email?

For example, when I submit the form, and it sends out an email, in that email I see:

======================
first name: bob
last name: bobinski
company: null
email: myemail@myemail.com
user level: 1
user name: bob
points earned:
points spent:
Insert: Insert
password: aywb5j2
WADAInsertRecordID:
Additional Notes:

Lorem ipsum dolor sit amet, consectetur adipiscing elit. Donec eget tellus sed justo rhoncus posuere id sit amet arcu. Morbi pretium, enim faucibus facilisis hendrerit, elit. Morbi quis sodales ligula. Pellentesque elementum faucibus elementum. Sed rutrum dui in nisi dapibus molestie. Sed dictum ultricies viverra.
====================

I would like to remove:
company
user level
user name
points spent and earned
insert
WADAInsertRecordID

I've searched around a bit and cant see where the code to pull that is.

Thanks.

ok, thanks Jason. My project is getting there, thanks for the help

in the webassist/email/templates fodler, open the tempalte file for your email.


neer the top, edit the remove array to add form elements that should not be included:

change:

$remove = array();

$remove[]  = "";

$remove[]  = "x";

$remove[]  = "y";

to:

$remove = array();

$remove[]  = "";

$remove[]  = "x";

$remove[]  = "y";

$remove[]  = "company";

$remove[]  = "user_level";

$remove[]  = "user_name";

$remove[]  = "points_spent_and_earned";

$remove[]  = "insert";

$remove[]  = "WADAInsertRecordID";