registration mail and "forgot password"

Started by jorgen, February 21, 2005, 12:46:12 PM

Previous topic - Next topic
Print
Go Down Pages1
User actions

jorgen

February 21, 2005, 12:46:12 PM
I do not know if this one belongs here on the bridge-forum or some other place on this forum. But since the bridge handles registration/login, I'll try here first   :D.

-I've often seen on other forums that the registration mail mailed to new members upon registration  contains both their username and password for future reference. People forget logindetails all the time.

-And when they forget the password, SMF asks for both username and mailadress. Well, people often forgets username or which mailadress they registered with.
Wouldn't it be sufficient to enter either mailadress OR username to get a password-reminder?
And cannot this reminder-mail contain the old password instead of creating a new one?

Kindred

#1
February 21, 2005, 01:50:04 PM
No, it can not, actually...

The password is protected with encryption. Once the user enters it, it is not in readable form..
So, there is no way (nor should there be) of including the user's current password in the email.
(That would be bad security protocol anyhow)

As for the other... well, you cna make the edits to your code however you like... but personally, what SMF (and the bridge) does is standard... and it's what most people are used to. You must enter at least two pieces of information to get your information sent to your email...
Слaва
Украинi

Please do not PM, IM or Email me with support questions.  You will get better and faster responses in the support boards.  Thank you.

"Loki is not evil, although he is certainly not a force for good. Loki is... complicated."

chinathetimes

#2
March 01, 2006, 08:21:23 PM
Quote from: Kindred on February 21, 2005, 01:50:04 PM
No, it can not, actually...

The password is protected with encryption. Once the user enters it, it is not in readable form..
So, there is no way (nor should there be) of including the user's current password in the email.
(That would be bad security protocol anyhow)

As for the other... well, you cna make the edits to your code however you like... but personally, what SMF (and the bridge) does is standard... and it's what most people are used to. You must enter at least two pieces of information to get your information sent to your email...
Currently, what happens if I am a hacker and enter my own email address???

Is it validating that address with what is on file or is it just re-setting the password and sending it to the new address.

I ask becasue I entered the wrong email address once and found two users in my database with the same name ... one without Joomla access but forum access Okay ... and it shut me out of the admin panel.
I'm running SMF 1.1.3 on http://www.chinathetimes.com/

Orstio

#3
March 01, 2006, 09:11:30 PM
QuoteIs it validating that address with what is on file or is it just re-setting the password and sending it to the new address.

It validates the email address before sending.
Print
Go Up Pages1
User actions
Advertisement: