close ad
 
Important WebAssist Announcement
open ad
View Menu

Technical Support Forums

Free, outstanding support from WebAssist and your colleagues

rating

Login form needs to distinguish between bad email and bad password

Thread began 11/03/2010 1:50 pm by SaladoGuy | Last modified 3/22/2011 4:51 pm by Lon Winters | 4395 views | 14 replies |

SaladoGuyBeta Tester

Login form needs to distinguish between bad email and bad password

To continue my thread about user problems with the login form (showthread.php?t=16940)...

Right now, on the login page, if the user inputs an incorrect email address, they are immediately sent to the "Forgot password?" password reset page which confuses them because then they think their password is wrong even though it's the email address that's wrong (I've had some users get rather disturbed about this behavior).

So I need to either 1) Redirect them to a different page (other than the bad password reset page) when the email address is wrong, or else 2) redirect them to the same page but have it display a different message depending on exactly what's wrong: the email address or the password.

Problem is I don't know how to do either of the above. I tried using WA "Validator" to check the email address field against all a recordset containing all the emails in the customer table (surely that's not a good way to do that! Imagine facebook or amazon doing something like that ...) and configured the Validate server behaviour to redirect to a different page (customer_bademail.php) but it doesn't work, they still get sent to the "bad password" page.

Could someone please tell me how to detect an invalid email address (meaning, one that isn't registered in the system) and print a different message or redirect to a different page?

Thanks!

Sign in to reply to this post

Jason ByrnesWebAssist

you are on the right track using validation toolkit.


Create a recordset that filters the email address column against the entered email address.

then add the validation Toolkit Server Validation behavior.

Select number validation.

set the server variable to:
$totalRows_<recordset name>

where <recordset name> is the name of your recordset.

set the minimum number to 1, set the maximum to 10000

Sign in to reply to this post

SaladoGuyBeta Tester

Hi Jason,

I'm still having a little trouble with this. First:

Originally Said By: Jason Byrnes
  you are on the right track using validation toolkit.

Create a recordset that filters the email address column against the entered email address.  



What I did is create the recordset (simple view) to use the customer table, use only the email colum, and Filter by "email"(column) = Form variable "username" (I called that form field "username" way back when I first generated the page with SecurityAssist

Was that the right way to configure the recordset? Or should I have used "Entered Value" instead of "Form varible"?

Next, it was still redirecting to the "bad password" page even when the email address was bad.

I tried moving the php code up from where it was (it was formerly underneath the Security Assist "Authenticate user" block of code) up to the top. I thought maybe php was processing the "Authenticate user" block first and preempting the bad-email detection.

Unfortunately, after that, now I get sent to the "bad email" page even when I use a valid email and password.

Could you look at it and tell me what I did wrong?

Thanks.

Sign in to reply to this post

SaladoGuyBeta Tester

Another thing:

When I created the validate server behavior, at first I used the "dynamic" (lightening bolt) menu to choose the recoord set and the code looked like this:

$row_rsCheckEmail['email']

I also tried changing $rows_ to $totalRows_ as you described but it did not help.

I moved the Validate code block back down to where it was previously. Now I can log in again with a good email and password, but still when I use a bad email it sends me to the bad password page.

I've attached the new version here also.

Thanks.

Sign in to reply to this post

SaladoGuyBeta Tester

Originally Said By: SaladoGuy
  I've attached the new version here also.  




Really attached this time.

Sign in to reply to this post

Jason ByrnesWebAssist

1) the code order on the page was not correct.


2) The server variable to use for the validation is:
$totalRows_rsCheckEmail


not:
$totalRows_rsCheckEmail['email']


I have attached the corrected file.

Attached Files
customer_login.php.zip
Sign in to reply to this post

danny405167

How abnout the password

I follow your instructions on how to filter the email address to check if is a registered email address. I tried to do the same with the password but no luck because the passwords in the database are encrypted. Can this method be used to check if the password is good or bad?

Sign in to reply to this post

Jason ByrnesWebAssist

yes this can be done.


when creating the parameter for the password look up recordset, set the run time value to:
sha1($_POST['passwordElement'])


where passwordElement is the name of the password form element.

Sign in to reply to this post

Lon WintersBeta Tester

My 2 cents

Checking for the existence of a user name during a sign up process is good to have. But it's not a good idea for a login form. Most logins you see on websites just tell you that the login failed, and give you options to retrieve you info.

For security reasons, if you tell the user which one of the fields doesn't validate, it just makes it that much easier for someone to hack into the account.

Plus it makes your job easier as this is the default way the login behaviors work. Just something to think about.

Sign in to reply to this post

Jason ByrnesWebAssist

Excellent point Lon, thanks for adding your 2 cents to the pot. I completely agree that this can pose a security risk.

Sign in to reply to this post
loading

Build websites with a little help from your friends

Your friends over here at WebAssist! These Dreamweaver extensions will assist you in building unlimited, custom websites.

Build websites from already-built web applications

These out-of-the-box solutions provide you proven, tested applications that can be up and running now.  Build a store, a gallery, or a web-based email solution.

Want your website pre-built and hosted?

Close Windowclose

Rate your experience or provide feedback on this page

Account or customer service questions?
Please user our contact form.

Need technical support?
Please visit support to ask a question

Content

rating

Layout

rating

Ease of use

rating

security code refresh image

We do not respond to comments submitted from this page directly, but we do read and analyze any feedback and will use it to help make your experience better in the future.

Close Windowclose

We were unable to retrieve the attached file

Close Windowclose

Attach and remove files

add attachmentAdd attachment
Close Windowclose

Enter the URL you would like to link to in your post

Close Windowclose

This is how you use right click RTF editing

Enable right click RTF editing option allows you to add html markup into your tutorial such as images, bulleted lists, files and more...

-- click to close --

Uploading file...