Secret question confirmation for forgotten passwords

unix32v · December 10, 2002

I need to replace the "click here to generate a new password" feature with one that first does a first-level authentication check and then guides the user to create a new password. (I'm trying to avoid sending the password as cleartext in an email). I'm thinking of prompting for a "secret question/answer" dialog.

Anyone done this?

I'm already walking the path: added fields to the "customers" table (thank you phpmyadmin!), can hash the "answer" to secure it in the database, ...

It seems quite a task to locate all the places that need change and make the changes: account*.php, create_account_process.php, and modules/account_details.php.

Is there a simpler way to do this? Thanks.

unix32v · December 11, 2002

OK. I worked the code over and now have a version that works, but needs a bit of cleaning up.

It now prompts/requests 2 additional pieces of information during account "setup": 1. a "secret question" from a pull down menu, and 2. user supplied response for that question.

This info is added to new fields in the customer table, and the "process" files now carry/maintain this information.

The password_forgotten.php file is updated to display/request this challenge/response infomation along with the email address on its first "pass". The "action' pass checks this information for a "match", and if so, clears the password and redirects the user to the login page with a info message indicating what to do.

I'll clean the code a bit and post if anyone is interested.

This removes the security weakness of mailing the updated password in the clear. On the otherhand, as I've coded it, the user could leave the account set without a password. I'll try to "fix" that.....

Post to me if you are interested in this.....

March 23, 2003

Tom,

That is exactly what I'm looking for!!! Please tell me you still check this board. Hopefully you're still contributing this security hole.

I caught this leak RIGHT AWAY and was hoping some got the jump on me for this one.

I'll be more than happy to recieve this if you're still offering! :D

Waza04 · March 23, 2003

Yep - Id love this - Please can you post...!!

Thanks,

Warren

unix32v · March 24, 2003

Rob, Waza04,

Gee, I thought this was something only I was interested in....

I can email you the updates that I made, although I completed this several months ago, and no doubt, the code base has moved a bit.

Let me locate the updates. It will probably take a day or so to post...

tom

unix32v · March 24, 2003

I found the "diffs" more quickly than I thought. I actually sent these changes to "mattice" on 12/25/2002.

Here's what I sent to him. Again, I apologize for the "roughness" of the code. On the otherhand, it seems to work.

Please correct/fix/enhance/etc.

tom

--------------------------------------------------------------------

Mattice,

Sorry for taking so long to send this to you.

The changes are a bit rough yet, but appear "fully" functional.

The first step is to add 2 additional fields to the customers table: customers_secret_question_id and customers_secret_question_answer. I used phpmyadmin to do this.

Here are the diffs against the 20021029 snapshot. I tried to remove other changes I made, but a few of them (my other changes) probably show up in the diffs.

If this format is not useful to you, please let me know, and I'll try something else.

This is my first effort at this, so please feel free to edit/update/correct/improve.

Tom

---------------------------------------------------------------------

*** catalog/account_edit_process.php Thu Dec 12 18:45:13 2002

***************

*** 31,38 ****

$newsletter = tep_db_prepare_input($HTTP_POST_VARS['newsletter']);

$password = tep_db_prepare_input($HTTP_POST_VARS['password']);

$confirmation = tep_db_prepare_input($HTTP_POST_VARS['confirmation']);

- $secret_question_id = tep_db_prepare_input($HTTP_POST_VARS['secret_question_id']);

- $secret_question_answer = tep_db_prepare_input($HTTP_POST_VARS['secret_question_answer']);

$street_address = tep_db_prepare_input($HTTP_POST_VARS['street_address']);

$company = tep_db_prepare_input($HTTP_POST_VARS['company']);

$suburb = tep_db_prepare_input($HTTP_POST_VARS['suburb']);

--- 31,36 ----

***************

*** 167,184 ****

$entry_password_error = true;

}

- if (strlen($secret_question_answer) < ENTRY_PASSWORD_MIN_LENGTH) {

- $error = true;

- $entry_secret_question_error = true;

- } else {

- $entry_secret_question_error = false;

- }

-

- if ($secret_question_id < 1) {

- $error = true;

- $entry_secret_question_error = true;

- }

-

$check_email_query = tep_db_query("select count(*) as total from " . TABLE_CUSTOMERS . " where customers_email_address = '" . tep_db_input($email_address) . "' and customers_id != '" . tep_db_input($customer_id) . "'");

$check_email = tep_db_fetch_array($check_email_query);

if ($check_email['total'] > 0) {

--- 165,170 ----

***************

*** 270,278 ****

'customers_telephone' => $telephone,

'customers_fax' => $fax,

'customers_newsletter' => $newsletter,

! 'customers_password' => crypt_password($password),

! 'customers_secret_question_id' => $secret_question_id,

! 'customers_secret_question_answer' => $secret_question_answer);

if (ACCOUNT_GENDER == 'true') $sql_data_array['customers_gender'] = $gender;

if (ACCOUNT_DOB == 'true') $sql_data_array['customers_dob'] = tep_date_raw($dob);

--- 256,262 ----

'customers_telephone' => $telephone,

'customers_fax' => $fax,

'customers_newsletter' => $newsletter,

! 'customers_password' => crypt_password($password));

if (ACCOUNT_GENDER == 'true') $sql_data_array['customers_gender'] = $gender;

if (ACCOUNT_DOB == 'true') $sql_data_array['customers_dob'] = tep_date_raw($dob);

***************

*** 308,315 ****

$customer_country_id = $country;

$customer_zone_id = $zone_id;

- session_unregister('no_password');

-

tep_redirect(tep_href_link(FILENAME_ACCOUNT, '', 'SSL'));

}

--- 292,297 ----

*** catalog/create_account_process.php Tue Dec 10 15:29:16 2002

***************

*** 28,35 ****

$newsletter = tep_db_prepare_input($HTTP_POST_VARS['newsletter']);

$password = tep_db_prepare_input($HTTP_POST_VARS['password']);

$confirmation = tep_db_prepare_input($HTTP_POST_VARS['confirmation']);

- $secret_question_id = tep_db_prepare_input($HTTP_POST_VARS['secret_question_id']);

- $secret_question_answer = tep_db_prepare_input($HTTP_POST_VARS['secret_question_answer']);

$street_address = tep_db_prepare_input($HTTP_POST_VARS['street_address']);

$company = tep_db_prepare_input($HTTP_POST_VARS['company']);

$suburb = tep_db_prepare_input($HTTP_POST_VARS['suburb']);

--- 28,33 ----

***************

*** 168,186 ****

$entry_password_error = true;

}

- $squestlen = strlen($secret_question_answer);

- if ($squestlen < ENTRY_PASSWORD_MIN_LENGTH) {

- $error = true;

- $entry_secret_question_error = true;

- } else {

- $entry_secret_question_error = false;

- }

-

- if ($secret_question_id < 1) {

- $error = true;

- $entry_secret_question_error = true;

- }

-

$check_email = tep_db_query("select customers_email_address from " . TABLE_CUSTOMERS . " where customers_email_address = '" . tep_db_input($email_address) . "' and customers_id <> '" . tep_db_input($customer_id) . "'");

if (tep_db_num_rows($check_email)) {

$error = true;

--- 166,171 ----

***************

*** 269,276 ****

'customers_fax' => $fax,

'customers_newsletter' => $newsletter,

'customers_password' => crypt_password($password),

- 'customers_secret_question_id' => $secret_question_id,

- 'customers_secret_question_answer' => $secret_question_answer,

'customers_default_address_id' => 1);

if (ACCOUNT_GENDER == 'true') $sql_data_array['customers_gender'] = $gender;

--- 254,259 ----

*** catalog/includes/form_check.js.php Tue Dec 10 15:10:09 2002

***************

*** 36,43 ****

var telephone = document.account_edit.telephone.value;

var password = document.account_edit.password.value;

var confirmation = document.account_edit.confirmation.value;

- var secret_question_id = document.account_edit.secret_question_id.value;

- var secret_question_answer = document.account_edit.secret_question_answer.value;

<?php

if (ACCOUNT_GENDER == 'true') {

--- 36,41 ----

***************

*** 141,153 ****

}

- if (document.account_edit.elements['secret_question_id'].type != "hidden") {

- if ((secret_question_id < 1) || (secret_question_answer == '' || secret_question_answer.length < <?php echo ENTRY_PASSWORD_MIN_LENGTH; ?>)) {

- error_message = error_message + "<?php echo JS_SECRET_QUESTION; ?>";

- error = 1;

- }

-

if (error == 1) {

alert(error_message);

return false;

--- 139,144 ----

*** catalog/includes/header.php Thu Dec 12 18:30:07 2002

***************

*** 86,98 ****

</table>

<?php

}

- if ($_SESSION['no_password'] != '') {

- ?>

- <table border="0" width="100%" cellspacing="0" cellpadding="2">

- <tr class="headerError">

- <td class="headerError"><?php echo urldecode($_SESSION['no_password']); ?></td>

- </tr>

- </table>

- <?php

- }

?>

--- 80,83 ----

*** catalog/includes/languages/english/login.php Sat Dec 14 20:26:51 2002

***************

*** 31,36 ****

define('TEXT_PASSWORD_FORGOTTEN', 'Password forgotten? Click here.');

! define('TEXT_LOGIN_ERROR', 'ERROR: No match for 'E-Mail Address' and/or 'Password'. Please try again.');

! define('TEXT_VISITORS_CART', 'NOTE: Your "Visitors Cart" contents will be merged with your "Members Cart" contents once you have logged on. <a href="java script:session_win();">[More Info]</a>');

?>

--- 31,36 ----

define('TEXT_PASSWORD_FORGOTTEN', 'Password forgotten? Click here.');

! define('TEXT_LOGIN_ERROR', 'ERROR: No match for 'E-Mail Address' and/or 'Password'.');

! define('TEXT_VISITORS_CART', 'NOTE: Your "Visitors Cart" contents will be merged with your "Members Cart" contents once you have logged on. <a href="java script:session_win();">[More Info]</a>');

?>

*** catalog/includes/languages/english/password_forgotten.php Wed Dec 11 14:56:42 2002

***************

*** 15,22 ****

define('HEADING_TITLE', 'I've Forgotten My Password!');

define('ENTRY_EMAIL_ADDRESS', 'E-Mail Address:');

define('TEXT_NO_EMAIL_ADDRESS_FOUND', 'NOTE: The E-Mail Address was not found in our records, please try again.');

! define('TEXT_SECRETS_DO_NOT_MATCH', 'NOTE: The Secrets you entered do not match those in our records, please try again.');

! define('EMAIL_PASSWORD_REMINDER_SUBJECT', STORE_NAME . ' - Password Changed.');

! define('EMAIL_PASSWORD_REMINDER_BODY', 'A new password and/or secret question/answer for your account was set by someone at IP Address ' . $REMOTE_ADDR . '. If you did not make this change, please let us know immediately by emailing a message to security@YOUR_SITE_NAME.com. Please use your new password and/or secret question/answer to gain access to the content on www.YOUR_SITE_NAME.com. ' . "nn");

! define('TEXT_PASSWORD_SENT', 'The password for your account has been removed. Please set a new Password and new Secret Question and Answer for you account below. Also, a Password Change Message Has Been Sent To Your Email Address');

?>

No newline at end of file

--- 15,21 ----

define('HEADING_TITLE', 'I've Forgotten My Password!');

define('ENTRY_EMAIL_ADDRESS', 'E-Mail Address:');

define('TEXT_NO_EMAIL_ADDRESS_FOUND', 'NOTE: The E-Mail Address was not found in our records, please try again.');

! define('EMAIL_PASSWORD_REMINDER_SUBJECT', STORE_NAME . ' - New Password');

! define('EMAIL_PASSWORD_REMINDER_BODY', 'A new password was requested from ' . $REMOTE_ADDR . '.' . "nn" . 'Your new password to '' . STORE_NAME . '' is:' . "nn" . ' %s' . "nn");

! define('TEXT_PASSWORD_SENT', 'A New Password Has Been Sent To Your Email Address');

?>

No newline at end of file

*** catalog/includes/languages/english.php Sat Dec 14 16:14:18 2002

***************

*** 159,165 ****

define('JS_COUNTRY', '* The 'Country' entry must be selected.n');

define('JS_TELEPHONE', '* The 'Telephone Number' entry must have at least ' . ENTRY_TELEPHONE_MIN_LENGTH . ' characters.n');

define('JS_PASSWORD', '* The 'Password' and 'Confirmation' entries must match and have at least ' . ENTRY_PASSWORD_MIN_LENGTH . ' characters.n');

- define('JS_SECRET_QUESTION', '* You must select a 'Secret Question' and your 'Answer' must have at least ' . ENTRY_PASSWORD_MIN_LENGTH . ' characters.n');

define('JS_ERROR_NO_PAYMENT_MODULE_SELECTED', '* Please select a payment method for your order.n');

define('JS_ERROR_SUBMITTED', 'This form has already been submitted. Please press Ok and wait for this process to be completed.');

--- 159,164 ----

***************

*** 172,219 ****

define('CATEGORY_CONTACT', 'Your Contact Information');

define('CATEGORY_OPTIONS', 'Options');

define('CATEGORY_PASSWORD', 'Your Password');

- define('CATEGORY_SECRET_QUESTION', 'Your Secret Question');

define('ENTRY_COMPANY', 'Company Name:');

! define('ENTRY_COMPANY_ERROR', '| required');

! define('ENTRY_COMPANY_TEXT', '| required');

define('ENTRY_GENDER', 'Gender:');

! define('ENTRY_GENDER_ERROR', '| required');

! define('ENTRY_GENDER_TEXT', '| required');

define('ENTRY_FIRST_NAME', 'First Name:');

! define('ENTRY_FIRST_NAME_ERROR', '| min ' . ENTRY_FIRST_NAME_MIN_LENGTH . ' chars');

! define('ENTRY_FIRST_NAME_TEXT', '| required');

define('ENTRY_LAST_NAME', 'Last Name:');

! define('ENTRY_LAST_NAME_ERROR', '| min ' . ENTRY_LAST_NAME_MIN_LENGTH . ' chars');

! define('ENTRY_LAST_NAME_TEXT', '| required');

define('ENTRY_DATE_OF_BIRTH', 'Date of Birth:');

! define('ENTRY_DATE_OF_BIRTH_ERROR', '| (eg. 05/21/1970)');

! define('ENTRY_DATE_OF_BIRTH_TEXT', '| (eg. 05/21/1970) required');

define('ENTRY_EMAIL_ADDRESS', 'E-Mail Address:');

! define('ENTRY_EMAIL_ADDRESS_ERROR', '| min ' . ENTRY_EMAIL_ADDRESS_MIN_LENGTH . ' chars');

! define('ENTRY_EMAIL_ADDRESS_CHECK_ERROR', '| Your email address doesn't appear to be valid!');

! define('ENTRY_EMAIL_ADDRESS_ERROR_EXISTS', '| email address already exists!');

! define('ENTRY_EMAIL_ADDRESS_TEXT', '| required');

define('ENTRY_STREET_ADDRESS', 'Street Address:');

! define('ENTRY_STREET_ADDRESS_ERROR', '| min ' . ENTRY_STREET_ADDRESS_MIN_LENGTH . ' chars');

! define('ENTRY_STREET_ADDRESS_TEXT', '| required');

define('ENTRY_SUBURB', 'Suburb:');

define('ENTRY_SUBURB_ERROR', '');

define('ENTRY_SUBURB_TEXT', '');

! define('ENTRY_POST_CODE', 'Zip Code:');

! define('ENTRY_POST_CODE_ERROR', '| min ' . ENTRY_POSTCODE_MIN_LENGTH . ' chars');

! define('ENTRY_POST_CODE_TEXT', '| required');

define('ENTRY_CITY', 'City:');

! define('ENTRY_CITY_ERROR', '| min ' . ENTRY_CITY_MIN_LENGTH . ' chars');

! define('ENTRY_CITY_TEXT', '| required');

define('ENTRY_STATE', 'State/Province:');

! define('ENTRY_STATE_ERROR', '| required');

! define('ENTRY_STATE_TEXT', '| required');

define('ENTRY_COUNTRY', 'Country:');

define('ENTRY_COUNTRY_ERROR', '');

! define('ENTRY_COUNTRY_TEXT', '| required');

define('ENTRY_TELEPHONE_NUMBER', 'Telephone Number:');

! define('ENTRY_TELEPHONE_NUMBER_ERROR', '| min ' . ENTRY_TELEPHONE_MIN_LENGTH . ' chars');

! define('ENTRY_TELEPHONE_NUMBER_TEXT', '| required');

define('ENTRY_FAX_NUMBER', 'Fax Number:');

define('ENTRY_FAX_NUMBER_ERROR', '');

define('ENTRY_FAX_NUMBER_TEXT', '');

--- 171,217 ----

define('CATEGORY_CONTACT', 'Your Contact Information');

define('CATEGORY_OPTIONS', 'Options');

define('CATEGORY_PASSWORD', 'Your Password');

define('ENTRY_COMPANY', 'Company Name:');

! define('ENTRY_COMPANY_ERROR', ' required');

! define('ENTRY_COMPANY_TEXT', ' required');

define('ENTRY_GENDER', 'Gender:');

! define('ENTRY_GENDER_ERROR', ' required');

! define('ENTRY_GENDER_TEXT', ' required');

define('ENTRY_FIRST_NAME', 'First Name:');

! define('ENTRY_FIRST_NAME_ERROR', ' min ' . ENTRY_FIRST_NAME_MIN_LENGTH . ' chars');

! define('ENTRY_FIRST_NAME_TEXT', ' required');

define('ENTRY_LAST_NAME', 'Last Name:');

! define('ENTRY_LAST_NAME_ERROR', ' min ' . ENTRY_LAST_NAME_MIN_LENGTH . ' chars');

! define('ENTRY_LAST_NAME_TEXT', ' required');

define('ENTRY_DATE_OF_BIRTH', 'Date of Birth:');

! define('ENTRY_DATE_OF_BIRTH_ERROR', ' (eg. 05/21/1970)');

! define('ENTRY_DATE_OF_BIRTH_TEXT', ' (eg. 05/21/1970) required');

define('ENTRY_EMAIL_ADDRESS', 'E-Mail Address:');

! define('ENTRY_EMAIL_ADDRESS_ERROR', ' min ' . ENTRY_EMAIL_ADDRESS_MIN_LENGTH . ' chars');

! define('ENTRY_EMAIL_ADDRESS_CHECK_ERROR', ' Your email address doesn't appear to be valid!');

! define('ENTRY_EMAIL_ADDRESS_ERROR_EXISTS', ' email address already exists!');

! define('ENTRY_EMAIL_ADDRESS_TEXT', ' required');

define('ENTRY_STREET_ADDRESS', 'Street Address:');

! define('ENTRY_STREET_ADDRESS_ERROR', ' min ' . ENTRY_STREET_ADDRESS_MIN_LENGTH . ' chars');

! define('ENTRY_STREET_ADDRESS_TEXT', ' required');

define('ENTRY_SUBURB', 'Suburb:');

define('ENTRY_SUBURB_ERROR', '');

define('ENTRY_SUBURB_TEXT', '');

! define('ENTRY_POST_CODE', 'Zip Code:');

! define('ENTRY_POST_CODE_ERROR', '| min ' . ENTRY_POSTCODE_MIN_LENGTH . ' chars');

! define('ENTRY_POST_CODE_TEXT', '| required');

define('ENTRY_CITY', 'City:');

! define('ENTRY_CITY_ERROR', '| min ' . ENTRY_CITY_MIN_LENGTH . ' chars');

! define('ENTRY_CITY_TEXT', '| required');

define('ENTRY_STATE', 'State/Province:');

! define('ENTRY_STATE_ERROR', '| required');

! define('ENTRY_STATE_TEXT', '| required');

define('ENTRY_COUNTRY', 'Country:');

define('ENTRY_COUNTRY_ERROR', '');

! define('ENTRY_COUNTRY_TEXT', '| required');

define('ENTRY_TELEPHONE_NUMBER', 'Telephone Number:');

! define('ENTRY_TELEPHONE_NUMBER_ERROR', '| min ' . ENTRY_TELEPHONE_MIN_LENGTH . ' chars');

! define('ENTRY_TELEPHONE_NUMBER_TEXT', '| required');

define('ENTRY_FAX_NUMBER', 'Fax Number:');

define('ENTRY_FAX_NUMBER_ERROR', '');

define('ENTRY_FAX_NUMBER_TEXT', '');

--- 171,217 ----

define('CATEGORY_CONTACT', 'Your Contact Information');

define('CATEGORY_OPTIONS', 'Options');

define('CATEGORY_PASSWORD', 'Your Password');

define('ENTRY_COMPANY', 'Company Name:');

! define('ENTRY_COMPANY_ERROR', ' required');

! define('ENTRY_COMPANY_TEXT', ' required');

define('ENTRY_GENDER', 'Gender:');

! define('ENTRY_GENDER_ERROR', ' required');

! define('ENTRY_GENDER_TEXT', ' required');

define('ENTRY_FIRST_NAME', 'First Name:');

! define('ENTRY_FIRST_NAME_ERROR', ' min ' . ENTRY_FIRST_NAME_MIN_LENGTH . ' chars');

! define('ENTRY_FIRST_NAME_TEXT', ' required');

define('ENTRY_LAST_NAME', 'Last Name:');

! define('ENTRY_LAST_NAME_ERROR', ' min ' . ENTRY_LAST_NAME_MIN_LENGTH . ' chars');

! define('ENTRY_LAST_NAME_TEXT', ' required');

define('ENTRY_DATE_OF_BIRTH', 'Date of Birth:');

! define('ENTRY_DATE_OF_BIRTH_ERROR', ' (eg. 05/21/1970)');

! define('ENTRY_DATE_OF_BIRTH_TEXT', ' (eg. 05/21/1970) required');

define('ENTRY_EMAIL_ADDRESS', 'E-Mail Address:');

! define('ENTRY_EMAIL_ADDRESS_ERROR', ' min ' . ENTRY_EMAIL_ADDRESS_MIN_LENGTH . ' chars');

! define('ENTRY_EMAIL_ADDRESS_CHECK_ERROR', ' Your email address doesn't appear to be valid!');

! define('ENTRY_EMAIL_ADDRESS_ERROR_EXISTS', ' email address already exists!');

! define('ENTRY_EMAIL_ADDRESS_TEXT', ' required');

define('ENTRY_STREET_ADDRESS', 'Street Address:');

! define('ENTRY_STREET_ADDRESS_ERROR', ' min ' . ENTRY_STREET_ADDRESS_MIN_LENGTH . ' chars');

! define('ENTRY_STREET_ADDRESS_TEXT', ' required');

define('ENTRY_SUBURB', 'Suburb:');

define('ENTRY_SUBURB_ERROR', '');

define('ENTRY_SUBURB_TEXT', '');

! define('ENTRY_POST_CODE', 'Post Code:');

! define('ENTRY_POST_CODE_ERROR', ' min ' . ENTRY_POSTCODE_MIN_LENGTH . ' chars');

! define('ENTRY_POST_CODE_TEXT', ' required');

define('ENTRY_CITY', 'City:');

! define('ENTRY_CITY_ERROR', ' min ' . ENTRY_CITY_MIN_LENGTH . ' chars');

! define('ENTRY_CITY_TEXT', ' required');

define('ENTRY_STATE', 'State/Province:');

! define('ENTRY_STATE_ERROR', ' required');

! define('ENTRY_STATE_TEXT', ' required');

define('ENTRY_COUNTRY', 'Country:');

define('ENTRY_COUNTRY_ERROR', '');

! define('ENTRY_COUNTRY_TEXT', ' required');

define('ENTRY_TELEPHONE_NUMBER', 'Telephone Number:');

! define('ENTRY_TELEPHONE_NUMBER_ERROR', ' min ' . ENTRY_TELEPHONE_MIN_LENGTH . ' chars');

! define('ENTRY_TELEPHONE_NUMBER_TEXT', ' required');

define('ENTRY_FAX_NUMBER', 'Fax Number:');

define('ENTRY_FAX_NUMBER_ERROR', '');

define('ENTRY_FAX_NUMBER_TEXT', '');

***************

*** 224,248 ****

define('ENTRY_NEWSLETTER_ERROR', '');

define('ENTRY_PASSWORD', 'Password:');

define('ENTRY_PASSWORD_CONFIRMATION', 'Password Confirmation:');

! define('ENTRY_PASSWORD_CONFIRMATION_TEXT', '| required');

! define('ENTRY_PASSWORD_ERROR', '| min ' . ENTRY_PASSWORD_MIN_LENGTH . ' chars');

! define('ENTRY_PASSWORD_TEXT', '| required');

define('PASSWORD_HIDDEN', '--HIDDEN--');

- define('ENTRY_SECRET_QUESTION', 'Secret Question:');

- define('ENTRY_SECRET_QUESTION_CONFIRMATION', 'Secret Question Answer:');

- define('ENTRY_SECRET_QUESTION_CONFIRMATION_TEXT', ' required');

- define('ENTRY_SECRET_QUESTION_ERROR', ' min ' . ENTRY_PASSWORD_MIN_LENGTH . ' chars');

- define('ENTRY_SECRET_QUESTION_TEXT', ' required');

- define('SECRET_QUESTION_HIDDEN', '--HIDDEN--');

- define('TEXT_EMPTY_PASSWORD', 'There is no Password set for this account. You need to set one now. Please supply the correct Secret Question and Answer for this account, and set a new Password and new Secret Question and Answer on the Account Edit page.');

-

// constants for use in tep_prev_next_display function

define('TEXT_RESULT_PAGE', 'Result Pages:');

! define('TEXT_DISPLAY_NUMBER_OF_PRODUCTS', 'Displaying %d to %d (of %d offerings)');

define('TEXT_DISPLAY_NUMBER_OF_ORDERS', 'Displaying %d to %d (of %d orders)');

define('TEXT_DISPLAY_NUMBER_OF_REVIEWS', 'Displaying %d to %d (of %d reviews)');

! define('TEXT_DISPLAY_NUMBER_OF_PRODUCTS_NEW', 'Displaying %d to %d (of %d new offerings)');

define('TEXT_DISPLAY_NUMBER_OF_SPECIALS', 'Displaying %d to %d (of %d specials)');

define('PREVNEXT_TITLE_FIRST_PAGE', 'First Page');

--- 222,238 ----

define('ENTRY_NEWSLETTER_ERROR', '');

define('ENTRY_PASSWORD', 'Password:');

define('ENTRY_PASSWORD_CONFIRMATION', 'Password Confirmation:');

! define('ENTRY_PASSWORD_CONFIRMATION_TEXT', ' required');

! define('ENTRY_PASSWORD_ERROR', ' min ' . ENTRY_PASSWORD_MIN_LENGTH . ' chars');

! define('ENTRY_PASSWORD_TEXT', ' required');

define('PASSWORD_HIDDEN', '--HIDDEN--');

// constants for use in tep_prev_next_display function

define('TEXT_RESULT_PAGE', 'Result Pages:');

! define('TEXT_DISPLAY_NUMBER_OF_PRODUCTS', 'Displaying %d to %d (of %d products)');

define('TEXT_DISPLAY_NUMBER_OF_ORDERS', 'Displaying %d to %d (of %d orders)');

define('TEXT_DISPLAY_NUMBER_OF_REVIEWS', 'Displaying %d to %d (of %d reviews)');

! define('TEXT_DISPLAY_NUMBER_OF_PRODUCTS_NEW', 'Displaying %d to %d (of %d new products)');

define('TEXT_DISPLAY_NUMBER_OF_SPECIALS', 'Displaying %d to %d (of %d specials)');

define('PREVNEXT_TITLE_FIRST_PAGE', 'First Page');

No newline at end of file

*** catalog/includes/modules/account_details.php Sat Dec 14 10:30:06 2002

***************

*** 14,20 ****

'text' => ENTRY_NEWSLETTER_YES),

array('id' => '0',

'text' => ENTRY_NEWSLETTER_NO));

- require('includes/secret_question.php');

?>

<tr>

--- 14,19 ----

***************

*** 420,468 ****

<?php

}

?>

- <?php

- if (!$is_read_only) {

- ?>

- <tr>

- <td class="formAreaTitle"> <?php echo CATEGORY_SECRET_QUESTION; ?></td>

- </tr>

- <tr>

- <td class="main"><table border="0" width="100%" cellspacing="0" cellpadding="2" class="formArea">

- <tr>

- <td class="main"><table border="0" cellspacing="0" cellpadding="2">

- <tr>

- <td class="main"> <?php echo ENTRY_SECRET_QUESTION; ?></td>

- <td class="main">

- <?php

- if ($error) {

- if ($entry_secret_question_error) {

- echo tep_draw_pull_down_menu('secret_question_id', $secret_question_array, $account['customers_secret_question_id']) . ' ' . ENTRY_SECRET_QUESTION_ERROR;

- } else {

- echo SECRET_QUESTION_HIDDEN . tep_draw_hidden_field('secret_question_id') . tep_draw_hidden_field('confirmation');

- }

- } else {

- echo tep_draw_pull_down_menu('secret_question_id', $secret_question_array, $account['customers_secret_question_id']) . ' ' . ENTRY_SECRET_QUESTION_TEXT;

- }

- ?></td>

- </tr>

- <?php

- if ( (!$error) || ($entry_secret_question_error) ) {

- ?>

- <tr>

- <td class="main"> <?php echo ENTRY_SECRET_QUESTION_CONFIRMATION; ?></td>

- <td class="main">

- <?php

- echo tep_draw_input_field('secret_question_answer', $account['secret_question_answer']) . ' ' . ENTRY_SECRET_QUESTION_CONFIRMATION_TEXT;

- ?></td>

- </tr>

- <?php

- }

- ?>

- </table></td>

- </tr>

- </table></td>

- </tr>

- <?php

- }

- ?>

</table>

--- 419,422 ----

Only in catalog/includes: secret_question.php

*** catalog/login.php Fri Dec 20 20:34:12 2002

***************

*** 22,31 ****

$HTTP_GET_VARS['login'] = 'fail';

} else {

$check_customer = tep_db_fetch_array($check_customer_query);

- // Check for empty password. If empty, redirect to password_forgotten.

- if( $password=='' && $check_customer['customers_password']=='' ) {

- tep_redirect(tep_href_link(FILENAME_PASSWORD_FORGOTTEN, 'error_message=' . urlencode(TEXT_EMPTY_PASSWORD)));

- }

// Check that password is good

if (!validate_password($password, $check_customer['customers_password'])) {

$HTTP_GET_VARS['login'] = 'fail';

--- 22,27 ----

***************

*** 53,62 ****

// restore cart contents

$cart->restore_contents();

- if( ($ohref = $_SESSION['origin_href']) ) {

- $_SESSION['origin_href'] = '';

- tep_redirect($ohref . '?' . tep_session_name() . tep_session_id());

- }

if (sizeof($navigation->snapshot) > 0) {

$origin_href = tep_href_link($navigation->snapshot['page'], tep_array_to_string($navigation->snapshot['get'], array(tep_session_name())), $navigation->snapshot['mode']);

$navigation->clear_snapshot();

--- 49,54 ----

*** catalog/password_forgotten.php Sat Dec 14 11:24:12 2002

***************

*** 11,62 ****

*/

require('includes/application_top.php');

- require('includes/secret_question.php');

require(DIR_WS_LANGUAGES . $language . '/' . FILENAME_PASSWORD_FORGOTTEN);

if ($HTTP_GET_VARS['action'] == 'process') {

! $email_address = $HTTP_POST_VARS['email_address'];

! $check_customer = tep_db_query("select customers_firstname, customers_lastname, customers_secret_question_id, customers_secret_question_answer, customers_id, customers_default_address_id from " . TABLE_CUSTOMERS . " where customers_email_address = '" . $email_address . "'");

if (tep_db_num_rows($check_customer)) {

$check_customer_values = tep_db_fetch_array($check_customer);

! // Check secret question id and answer.

! // If matches, clear password field and take them to the account_edit page

! if( ($HTTP_POST_VARS['secret_question_id'] == $check_customer_values['customers_secret_question_id']) && ($HTTP_POST_VARS['secret_question_answer'] == $check_customer_values['customers_secret_question_answer']) ) {

! $crpted_password = '';

$sql = sprintf("UPDATE " . TABLE_CUSTOMERS . " SET customers_password = '%s' WHERE customers_id = %d", $crpted_password, $check_customer_values['customers_id']);

tep_db_query($sql);

- $_SESSION['no_password'] = 'The Password on your account has been removed. Please make sure to set a new password for your account now. It is against site policy to allow accounts to remain without passwords.';

! tep_mail($check_customer_values['customers_firstname'] . " " . $check_customer_values['customers_lastname'], $email_address, EMAIL_PASSWORD_REMINDER_SUBJECT, nl2br(EMAIL_PASSWORD_REMINDER_BODY), STORE_OWNER, STORE_OWNER_EMAIL_ADDRESS);

!

! $check_country_query = tep_db_query("select entry_country_id, entry_zone_id from " . TABLE_ADDRESS_BOOK . " where customers_id = '" . $check_customer_values['customers_id'] . "' and address_book_id = '1'");

! $check_country = tep_db_fetch_array($check_country_query);

!

! $customer_id = $check_customer_values['customers_id'];

! $customer_default_address_id = $check_customer_values['customers_default_address_id'];

! $customer_first_name = $check_customer_values['customers_firstname'];

! $customer_country_id = $check_country['entry_country_id'];

! $customer_zone_id = $check_country['entry_zone_id'];

! tep_session_register('customer_id');

! tep_session_register('customer_default_address_id');

! tep_session_register('customer_first_name');

! tep_session_register('customer_country_id');

! tep_session_register('customer_zone_id');

!

! setcookie('email_address', $email_address, time()+2592000, substr(DIR_WS_CATALOG, 0, -1));

! setcookie('first_name', $customer_first_name, time()+2592000, substr(DIR_WS_CATALOG, 0, -1));

!

! $date_now = date('Ymd');

! tep_db_query("update " . TABLE_CUSTOMERS_INFO . " set customers_info_date_of_last_logon = now(), customers_info_number_of_logons = customers_info_number_of_logons+1 where customers_info_id = '" . $customer_id . "'");

!

! // restore cart contents

! $cart->restore_contents();

!

! tep_redirect(tep_href_link(FILENAME_ACCOUNT_EDIT, 'info_message=' . urlencode(TEXT_PASSWORD_SENT), 'SSL', true, false));

! } else {

! tep_redirect(tep_href_link(FILENAME_PASSWORD_FORGOTTEN, 'info_message=' . urlencode(TEXT_SECRETS_DO_NOT_MATCH), 'SSL'));

! }

} else {

tep_redirect(tep_href_link(FILENAME_PASSWORD_FORGOTTEN, 'email=nonexistent', 'SSL'));

}

--- 11,31 ----

*/

require('includes/application_top.php');

require(DIR_WS_LANGUAGES . $language . '/' . FILENAME_PASSWORD_FORGOTTEN);

if ($HTTP_GET_VARS['action'] == 'process') {

! $check_customer = tep_db_query("select customers_firstname, customers_lastname, customers_password, customers_id from " . TABLE_CUSTOMERS . " where customers_email_address = '" . $HTTP_POST_VARS['email_address'] . "'");

if (tep_db_num_rows($check_customer)) {

$check_customer_values = tep_db_fetch_array($check_customer);

! // Crypted password mods - create a new password, update the database and mail it to them

! $newpass = tep_create_random_value(ENTRY_PASSWORD_MIN_LENGTH);

! $crpted_password = crypt_password($newpass);

$sql = sprintf("UPDATE " . TABLE_CUSTOMERS . " SET customers_password = '%s' WHERE customers_id = %d", $crpted_password, $check_customer_values['customers_id']);

tep_db_query($sql);

! tep_mail($check_customer_values['customers_firstname'] . " " . $check_customer_values['customers_lastname'], $HTTP_POST_VARS['email_address'], EMAIL_PASSWORD_REMINDER_SUBJECT, nl2br(sprintf(EMAIL_PASSWORD_REMINDER_BODY, $newpass)), STORE_OWNER, STORE_OWNER_EMAIL_ADDRESS);

! tep_redirect(tep_href_link(FILENAME_LOGIN, 'info_message=' . urlencode(TEXT_PASSWORD_SENT), 'SSL', true, false));

} else {

tep_redirect(tep_href_link(FILENAME_PASSWORD_FORGOTTEN, 'email=nonexistent', 'SSL'));

}

***************

*** 106,119 ****

</tr>

<tr>

- <td align="right" class="main"><?php echo ENTRY_SECRET_QUESTION; ?></td>

- <td class="main"><?php echo tep_draw_pull_down_menu('secret_question_id', $secret_question_array) . ' ' . ENTRY_SECRET_QUESTION_TEXT; ?></td>

- </tr>

- <tr>

- <td align="right" class="main"><?php echo ENTRY_SECRET_QUESTION_CONFIRMATION; ?></td>

- <td class="main"><?php echo tep_draw_input_field('secret_question_answer') . ' ' . ENTRY_SECRET_QUESTION_CONFIRMATION_TEXT; ?></td>

- </tr>

- <tr>

<tr>

<td valign="top"><a href="<?php echo tep_href_link(FILENAME_LOGIN, '', 'SSL') . '">' . tep_image_button('button_back.gif', IMAGE_BUTTON_BACK) . '</a>'; ?></td>

--- 75,80 ----

Acemang · March 24, 2003

why dont you put all files in the contribution section? this is a good add-on.

Waza04 · March 24, 2003

Please can somebosy clean this code up - As I cant make it work :o

Thanks

Warren

April 2, 2003

I would love to have this mod. Please post the contribution in full as soon as possible.

Thanks a million.

(P.S. the secret_question.php is missing from the step by step post.)

Charlie

good_guys_flys · January 24, 2004

I am no php programmer and I do have some mods installed already to the customer sign-up page. But can anyone PLEASE get this code to work for OSC 2.2 MS2? I am running the 07/13/2003 release.

I see this kind of mod a necessity to any osC shop, it shows you care about the integrity and privacy of your customers data. It is too easy to fake an identity and spoof both IP's and email addresses.

Can someone code this for MS2 and submit as a contrib?? :huh:

"Damnit Jim I'm a security analyst not a programmer"

Secret question confirmation for forgotten passwords

Recommended Posts

unix32v

unix32v

Guest

Waza04

unix32v

unix32v

Acemang

Waza04

Guest

good_guys_flys

Archived

Browse

Activity