Is there a tutorial for validating a user in order to send them their password?

I found a post by Walikan regarding something I'm interested in doing. However, I don't know much about the background of the steps to do what he did.

Is there a tutorial for how to create a "forgot password" page followed by a second check to verify their identity followed by sending them an email with a new password?

Basically, I want a forgot password feature where I ask them for their userID (their email address). Once they submit their userID, I will need to check in the database to see if it exists. If it does exist, then I want to route them to a verify identity page. Once there I plan to use their userID in order to retrieve and display a "Secret question" they selected from a canned list of secret questions when creating their profile.

Once they view their secret question that they had selected when creating their profile, I'll have a form element which will prompt them for their secret answer. When they enter their secret answer and submit the form, I want to verify that the secret answer matches what they entered in their profile.

If their secret answer matches what's in the database, I'll route them to an "email sent" page which explains that an email has been sent that contains their new password along with instructions with what to do next.

If they don't answer their secret answer correctly, I want to display an error message to indicate the secret answer is incorrect. If they still can't answer their secret answer they can contact us to tell us their problems.

If the userID doesn't exist, then I'll display a page indicating we don't have a userID in our system as they entered.

I'm interested if you have a tutorial as well as what tools you offer that could be used to accomplish this. I'm using DW CS4 with PHP and MySQL.

I've viewed one of your tutorials that covers setting up the basic pages for logging in and a forgot password page, but the forgot password page doesn't go far enough since I don't want to automaticaly reset the password without the user verifying who they are based on their userID. This will stop miscreants from constantly resetting someone's password without them ever requesting it.

thanks,

steve

I think the best way to handle this is to just send them their password without reseting it. They have to have access to their email account to retrieve the password. You can suggest in the email to change their password themselves.

If they keep getting the same email, they still know someone is messing with their account but it will have little affect on them. You could always block the IP address of the offender if it got to that level.

You don't want to get too fancy or you'll drive visitors away. You have to balance the hassle factor with the sensitivity of the information you are trying to protect. You don't want visitors to jump through hoops if it's just their shipping address.

Thanks for the advice. I should've mentioned that this is a subscription based service we are offering so security is very important to us since it affects our main customer base. I should've also mentioned that we can't send them the password they created because it's encrypted when stored in the database (SHA-1). Our approach is very similar to what you find on something like Paypal (not quite as stringent as theirs though).

The problem with simply generating a password and sending it to them is that anyone can pose as the person if they know their email address and cause a new password email to be sent to the user. It's a lot easier to ask the user that forgot their password a simple secret question and they supply the secret answer. It's a bigger hoop for the customer to jump through with changing their password when they didn't request it, than it is to pass a simple security test.

If it's a poser, they will probably fail the security answer test which means the user will never be bothered with unrequested emails that will only cause confusion and phone calls to our help desk wondering what the heck is going on.

I should have been more clear on the need for the forgot password process being more stringent than simply sending a new password just because someone with an email address requested it.

steve

The poser would have to have more than just an email address to get the password. They would also have to have the login password for the email account.

I doubt that the poser would get much satisfaction from continued requests that had no visible results. The email can include answers that explain exactly what to do so they wouldn't have to call the help desk. You can also limit the number of request in a certain time period.

Using the security question is usually a secondary test because it is less secure than standard passwords. Plain words are vulnerable to dictionary attacks. Letting people get in with the security question defeats the protection provided by the passwords.

I guess I'm having a hard time understanding the need for the extra steps.

It sounds like you are going to do a lot of extra coding, to make all of your users come up with security questions and answers, to avoid confusing a user if a poser tries to get his kicks by triggering an unwanted email.

Doesn't that just inconvenience everyone? Do you anticipate a level of abuse that would warrant that?

Maybe I'm missing something. I've never had an issue with the "Forgot Password" email.

Creating the secret answer is just a matter of adding two new fields to your users table (one for the questionID and one for the answer), and a new table for the secrete questions.

the new Table would be:
secretquestions:
questionID - Primary Key
questionText - varchar

populate the secretquestions table with the questions that they should be al;lowed to choose from.


On the registration page, create a recorsdset to return the questions from the secretquestions table.

Add a select list to the registration form, set the select list to be dynamic, pull the values for the select list from the secretquestions recordset. set the Value to the questionID column and the label to the questionText column.

Add a new text box also for the user to type their answer.

in the insert record behavior, bind the questionID column of the user table to the select list, and the answer column to the answer text box.

Now on the New Password page, Create a recordset again to pull all the question from the secretquestions table. Create the select list again, make it dynamic, get the values from the secretquestions recordset, set the value to use the questionID column and the label to the questionText column.


add the answer text box as well.


create another recordset that filters the user table on the entered email address, the selected question and the answer.


Set the email password behavior trigger to only send if the lookup recordset is not empty. You can use the show region behavior to show an error message if the recordset is empty, you will need to modify the show region if statement so that it only shows the message if the recordset is empty and the form was submitted.

Originally Said By: Jason Byrnes

  Creating the secret answer is just a matter of adding two new fields to your users table (one for the questionID and one for the answer), and a new table for the secrete questions.

the new Table would be:
secretquestions:
questionID - Primary Key
questionText - varchar

populate the secretquestions table with the questions that they should be al;lowed to choose from.


On the registration page, create a recorsdset to return the questions from the secretquestions table.

Add a select list to the registration form, set the select list to be dynamic, pull the values for the select list from the secretquestions recordset. set the Value to the questionID column and the label to the questionText column.

Add a new text box also for the user to type their answer.

in the insert record behavior, bind the questionID column of the user table to the select list, and the answer column to the answer text box.

Now on the New Password page, Create a recordset again to pull all the question from the secretquestions table. Create the select list again, make it dynamic, get the values from the secretquestions recordset, set the value to use the questionID column and the label to the questionText column.


add the answer text box as well.


create another recordset that filters the user table on the entered email address, the selected question and the answer.


Set the email password behavior trigger to only send if the lookup recordset is not empty. You can use the show region behavior to show an error message if the recordset is empty, you will need to modify the show region if statement so that it only shows the message if the recordset is empty and the form was submitted.  

Thanks for the info Jason. Your approach to setting up the table of questions is exactly what we've done. The problem comes in with me not understanding clearly how to use the tools (I think).

Regarding the email password behavior, the SA email password shows two options. One for Microsoft mail and the other for Linux. In our case we need to provide authentication (TLS) to send the email. Does this mean using Universal Email instead of SA's email password behavior? If yes, where in UE do we choose to only send the email if the recordset is not empty?

Do you recommend a tool for handling the show region functionality? I assume this would be to display a message that the answer was incorrect.

Currently I have a page that is displayed when the user clicks the forgot password link. This is a page I coded myself and is not from SA. The user enters their email address and clicks submit. I save the email address they entered as a session variable and use it with the SA authenticate user behavior to see if it's an email address that exists or not. If it's OK, I route them to a page that displays their secret question and a field for entering their secret answer. Once they enter their answer and click submit, I check to see if it matches our records. If not, I'd like to display an error message, if so, I display a page that says an email was sent with instructions on what to do next. It's at this time that I would send an email with the non-encrypted password (because I saved it using the SA Random Password entry in the bindings tab) and I would also encrypt the password and store it in the database for the userID (email address that was submitted OK).

Does this sound OK or am I creating too many pages to handle all of this? Right now there's the page where they enter their email address, a page that says we can't find their email address in our records with a "try again" link back to the previous page so they can enter a different email address, the page for displaying the secret Q/A, a page that says their secret answer didn't match our records, and a success page telling them an email was sent when all goes well.

thanks for your help,

steve

you will only need 1 page to accomplish this. as office guy has pointed out, there's no need to make things any more difficult than needed by having the user have to click a gazillion different links just to reset the password.


on the email password page, create the form with the email text box, the secret question select list and the answer text box.

create one recordset to look up the email address. Create an if statement that will redirect to the email password page with a query string variable indicating the email was no good:

<?php

if($totalRows_recordsetName < 1 && $_SERVER["REQUEST_METHOD"] == "POST") { 

  header("Location: emailPW.php?email=0");

}

?>

then create an if statement to show an error message:

<?php if(isset($_GET['email']) && $_GET['email'] == "0") { ?>

the email address you entered is not valid

<?php } ?>

create another recordset to lookup all 3, the email, question and answer combination that was entered. you can create similar if statements for redirect and showing error message, just change the querystring variable name.


Then use universal email to send the email only if this second recordset is not empty. On the general tab, you can select the triggers, one of the triggers available will be if recordset is not empty.

Originally Said By: Jason Byrnes

  you will only need 1 page to accomplish this. as office guy has pointed out, there's no need to make things any more difficult than needed by having the user have to click a gazillion different links just to reset the password.


on the email password page, create the form with the email text box, the secret question select list and the answer text box.  

Not sure if I understood your explanation here Jason. Do you mean one page (forgot password page) that has a form field for entering their email address which will display an error if no such email exists, but if correct, route to another page named email password which will contain the secret Q with a field for entering the secret answer they will submit, or were you meaning to put all three on the same page?

It seems like I'd need at least two pages. Otherwise I wouldn't be able to show the secret question they chose when setting up their profile until I at least had a valid email address to reference.

steve

After re-reading the posts, I'm questioning whether I was clear on the forgot password process I'm trying to accomplish.

So just to be sure Jason, here is how things are supposed to work:

1. The user clicks a forgot password link.

2. They are shown a forgot password page with a single form element that asks them to enter their email address.

3. I test to see if the email address exists in my client table.

4. If so, I display a "verify identity" page which shows two fields. One field is the secret question that was selected when they set up their profile. the other field is their secret answer they entered when they set up their profile.

5. The secret question field is populated with the secret question they selected when they set up their profile. This matches the email address they entered. This is not something they will change so there will only be the secret question that they had previously selected when setting up their profile.

6. The user enters their secret answer that they had previously entered when they set up their profile and clicks submit.

7. I check the client table to see if the secret answer they entered on the verify identity page matches what's in the client table for the email address that was previously checked and found to be OK.

8. If it's good, we generate a new password and email it to them. We also store an encrypted version of the password in the client table so that when they attempt to sign in, it will pass.

The reason I ask is that after re-reading the posts, it sounded like maybe you thought I'd let them pick another secret question and type in a secret answer. Perhaps I misread the posts, but just want to be sure we're on the same page.

I'm pulling the secret question from their profile so that I can prompt them for their secret answer. Technically, the secret question doesn't have to be in a form, it could be dynamic text that I display, but their secret answer will have to be in a form so they can submit their answer and I can test to see if it's OK or not.

Is this how you understood the forgot password process worked as well? I'm getting suspicious that when I said I would show two fields on the "verify password" page that it somehow indicated they could select a secret question which is not what I intended. They will see the secret question as it exists in the client table. This may be my fault for putting the secret question in a form rather than just showing it as a dynamic text element.

steve