Jump to content
  • Checkout
  • Login
  • Get in touch

osCommerce

The e-commerce.

Question about 'forgotten passwords'


Jazztronik

Recommended Posts

As most of you must know, in osCommerce, if you, as a customer, forget your password, you will be asked for your e-mail address (in password_forgotten.php) so that a new random password is sent to it so that only you can read it. Due to the complaints of some customers (they wanted a password of their liking and didn't like the fact of having a new random one and having to re-modify it), we've decided to change this behaviour.

 

What we want now is, when customers forget their password and they send their e-mail address through password_forgotten.php, another e-mail is sent to them with a link that allows them to auto-login and directly go to account_password.php, where the "current password" field will not be displayed, only the "new password" and "re-type password" fields, in order to make a more direct way to have a password they like.

 

Everything is already implemented, except for the last step. How do I build the link so that our customers can access account_password.php ? What I have perfectly clear is that I will need some kind of GET variable so as to hide the "current password" field in account_password.php, but how can customers directly login and view this file from a link in their e-mail?

Link to comment
Share on other sites

As most of you must know, in osCommerce, if you, as a customer, forget your password, you will be asked for your e-mail address (in password_forgotten.php) so that a new random password is sent to it so that only you can read it. Due to the complaints of some customers (they wanted a password of their liking and didn't like the fact of having a new random one and having to re-modify it), we've decided to change this behaviour.

 

What we want now is, when customers forget their password and they send their e-mail address through password_forgotten.php, another e-mail is sent to them with a link that allows them to auto-login and directly go to account_password.php, where the "current password" field will not be displayed, only the "new password" and "re-type password" fields, in order to make a more direct way to have a password they like.

 

Everything is already implemented, except for the last step. How do I build the link so that our customers can access account_password.php ? What I have perfectly clear is that I will need some kind of GET variable so as to hide the "current password" field in account_password.php, but how can customers directly login and view this file from a link in their e-mail?

 

Oh man you have some picky customers. In 15 years using osc not one of my customers have complained about this procedure. Most sites on the web use this procedure of issuing ramdom new passwords for customer to change. This a security feature.

Link to comment
Share on other sites

Oh man you have some picky customers. In 15 years using osc not one of my customers have complained about this procedure. Most sites on the web use this procedure of issuing ramdom new passwords for customer to change. This a security feature.

 

Yes unfortunately you're true hehehe, generally our regular customers are middle aged women, but also older ones, which are not so keen on technologies. We wish to keep them satisfied as much as possible. So, could you anyway guide me on how to perform this change? Some suggestions please?

Link to comment
Share on other sites

Yes unfortunately you're true hehehe, generally our regular customers are middle aged women, but also older ones, which are not so keen on technologies. We wish to keep them satisfied as much as possible. So, could you anyway guide me on how to perform this change? Some suggestions please?

Password are stored in encrypted way so can't retrive it.

You may use another retrivalble encriptin method. so you will get same passwod, after asking a security question.

it is easy. so you may try it.

When I was born, I was cryed and everyone around me was smiling.

Live our life so at the end,

I am the one who is smiling and everyone around me is crying.

Link to comment
Share on other sites

Most of my customers for Adorable Apparel are middle aged women and older women, and they all manage fine.

 

Some customers will always moan abount something, but I have never had any complaints about the password feature.

 

The way it is defaulted is the best way security wise

Link to comment
Share on other sites

Yes unfortunately you're true hehehe, generally our regular customers are middle aged women, but also older ones, which are not so keen on technologies. We wish to keep them satisfied as much as possible. So, could you anyway guide me on how to perform this change? Some suggestions please?

You could check out the addon secret question.

Link to comment
Share on other sites

Some kind of reversible encryption or the secret question would have been plausible solutions if they were implemented from the start. But what about the loads of users already registered?

 

Although I know that generating a new random password is the best solution, I'm trying my solution anyway. So I'll explain you the most important steps of the algorithm and perhaps you know what to do to fix the bugs I experience:

 

- When Betty, a fictional customer of my site, has lost her password, she clicks on the password forgotten link and she's redirected to password_forgotten.php

 

- Here, she will find a field in which to enter her e-mail address. So she types it and send it.

 

- The same file will process this action. Here's where the changes begin. Instead of generating a new random password and sending it to her, I make this:

 

- I create a link to account_password2.php (a new version of the file whose purpose is to change the current password for another new one, with some differences, as for instance, it has no field for the old password) to embed it in the e-mail body.

 

- Two variables are attached to the URL of the link: "email", which contains the user's specified e-mail address, and "key", created from an md5 encryption of a string which in time has been created by joining her e-mail address and other private data I cannot obviously say.

 

- When Betty opens her new e-mail and clicks on the link, a new window is opened to show account_password2.php. This file checks, just after including "application_top.php", if the above mentioned vars "email" and "key" exist.

 

- If so, it recovers from the database, by means of "email", the same user data (Betty's user data) the file called login.php uses in order to create the session vars.

 

- Next, it recreates the key in the same way as before so as to compare them. If they match, the same session vars as in login.php are created from the retrieved data, and account_password2.php is shown with Betty logged in.

 

- Now the problem: although if Betty changes her password it's actually changed, some kind of problem with sessions are experienced, because if instead of changing her password, she clicks to enter her account data, most of the times she's redirected to login.php, like new users, in place of account.php, and very few times, she goes to account.php

 

I hope you understand what I mean to say. Just as I said, this needs expertise.

Link to comment
Share on other sites

Archived

This topic is now archived and is closed to further replies.

×
×
  • Create New...