Skip to main content

This site requires you to update your browser. Your browsing experience maybe affected by not having the most up to date version.

Archive /

Our old forums are still available as a read-only archive.

Moderators: martimiz, Sean, biapar, Willr, Ingo, simon_w

How should the "I've lost my password" feature work?


Go to End
Reply


10 Posts   5179 Views

Avatar
Markus

Google Summer of Code Hacker, 152 Posts

17 July 2007 at 4:10am

Edited: 17/07/2007 4:11am

As already mentioned in my [url=http://www.silverstripe.com/google-summer-of-code-forum/flat/2417]post on Friday[/url] the "I've lost my password" feature doesn't work anymore as expected since passwords can now be encrypted.

There are now in principle two possible solutions:

1.) Assign a new password to the account which is then mailed to the specified email address.

or

2.) Send a so called auto login hash which is a special URL that logs you automatically in without entering a password. The user can change the password then as he likes.

The downside of solution 1 is that someone can change the passwords for all accounts for which he knows the email address and people won't understand we their usual credentials doesn't work anymore unless they read their mails.

Solution 2 (which is the one I would prefer) is a little more complicate for the user he has to change the password himself but I think there are no other problems with this approach.

What do you think? Which of the two solutions should be implemented?
I would implement it in a way that the function works the same way as now for clear text passwords and sends a auto login hash for encrypted passwords (the auto login hash works only until the next successful login).

Avatar
qhoxie

Google Summer of Code Hacker, 39 Posts

17 July 2007 at 5:19am

i prefer option 1 with a method to circumvent the problem you mentioned of having the credentials changed without the user knowing

it is a combination of the two options actually, when the lost password email is entered, an email with a unique key is sent to the address, and when they click the link, a new password is emailed to them or they are taken to a confirmation or change password page

it is similar to option 2, but i guess i would say they are not authenticated until they use the new password

Avatar
Sam

Administrator, 685 Posts

17 July 2007 at 8:49pm

Solution 2 is good, as long as it shows the user a change password form straight away - like, the system shouldn't wait for them to go to a change password form themselves.

As well as the benefit you mentioned, this also means that users choose their own passwords, rather than being given passwords that they'll forget.

Avatar
Tim

Core Development Team, 201 Posts

17 July 2007 at 9:49pm

My vote is for solution2

Avatar
Markus

Google Summer of Code Hacker, 152 Posts

18 July 2007 at 1:13am

OK, so I think we agree on solution 2.

I'll implement it in the following way:

1. Click on "I've lost my password"
2. The user enters his email address and clicks on "Reset my password" (maybe some other label??)
3. The system sends the auto login hash to the user (also to users with clear text password - the user forgot it already once, so there is no need to use it again).
4. The user clicks on the link and gets to a form where he enters his password and clicks on "Change my password".
5. The system shows the message "Your password was successful changed and you can use it now to log in". (the user will not be automatically logged in because we don't know where we should redirect him - forum, /admin, ...)

Is this OK? If so I'll start with the implementation.

What's the best way to implement the change password form so that it can be easily reused?

Avatar
Markus

Google Summer of Code Hacker, 152 Posts

19 July 2007 at 2:37am

OK, it's implemented now (in r38919).

There are some (cosmetically) things that should be fixed, but everything work as it should.
I will fix those things after my vacation.

Could you all please test this new feature and if there are problems add them to the [url=http://support.silverstripe.com/gsoc/ticket/48]ticket[/url].

Thanks a lot

Avatar
thm

5 Posts

23 November 2007 at 1:21pm

Edited: 23/11/2007 1:22pm

Hi I'm having trouble retrieving my password. I do the usual Lost Password and it send an email to the specified email address, however when I click the link I get the following error message:
Change your password

The password reset link is invalid or expired.

You can request a new one here or change your password after you logged in.

I tried requesting new passwords a couple of times (all with different hashes), and repeatedly the same error message appears.

Any help/advice would be appreciated.

Avatar
Sigurd

Forum Moderator, 628 Posts

23 November 2007 at 10:24pm

To what system are you trying to receive a password for?
Obviously not this forum, since you can post messages ;)

Go to Top