I few days ago, I added an email-verification system to the account registration page. Now when you make an account, you need a valid email address that is currently not being used by any other user on the site. An email will be sent to that account containing a secret code that you will need to activate your account. If your account is not activated, you will not even be allowed to log into it. This comes in response to all of a_neezles_a's spam accounts.
I've also added a password-reset system for people who have forgotten their passwords. After failing to log in, you'll see a link asking you if you forgot your password. That link takes you to a page where you submit your email address. The account with that email will then have their password reset, and this new password is sent to that email. However, to keep people from resetting each other's passwords out of spite, it does not override the functionality of the current password. User Comments (11) | canadianstickdeath |
Age: 35 Karma: 350 Posts: 2990 Gender: Male pm | email
|
Lol, how does that work?
So then there's two passwords, one that I can use, and the other is the reset one. But once I log in using the reset one, that becomes the new password? What if somebody is trying to recover their password, but I'm just repeatedly clicking the reset button, lol. Of if all the passwords are valid, can't I just click the reset button a million times, and then probably just type anything and have it be one of the reset passwords? I don't really like this system, but then, it's hard to think of something else when you don't really know how people actually do it. You're sure that there's no hole...? | | Livio |
Age: 31 Karma: 470 Posts: 9620 Gender: Male Location: Arizona, USA pm | email
|
There are two fields in the database, one for the regular password, and another for the reset one. Reseting your password fills the reset-password field with a randomly generated password, and each time you log in it checks to see if your password matches any one of them. But remember that you need your current password if you want to change it to a new password, so it doesn't clear the reset-password field until you change your password again. The email you get clearly tells you to change your password right away. | | canadianstickdeath |
Age: 35 Karma: 350 Posts: 2990 Gender: Male pm | email
|
I don't know if I like the idea of somebody clicking the reset button on my account, and now there's another password floating around that can be used to log into my account with.
Did any of our members sign up using fake emails? New members should be relatively protected from this because of verification, but if you email doesn't exist, I could create it and... | | snowman |
I am a person.
Age: 25 Karma: 38 Posts: 1209 Gender: Male Location: Singapore The Lil' Red Dot pm | email
|
You are confusing me.
| | Teo |
Age: 25 Karma: 138 Posts: 1766 Gender: Male Location: Warsaw, Poland pm | email
|
!!! I can now ask about it! I think in the old interguild (2006 - 2008) was that verification code. I think because of it I didn't log in there. There was also one e-mail for one user rule. Don't think about it! | | Livio |
Age: 31 Karma: 470 Posts: 9620 Gender: Male Location: Arizona, USA pm | email
|
'canadianstickdeath' said: I don't know if I like the idea of somebody clicking the reset button on my account, and now there's another password floating around that can be used to log into my account with. The problem is that without a password, it's hard to make sure that the user is legitimate. You know what, I'm gonna set up a pruning device so that whenever you successfully log in using the real password, it'll clear the reset-password field.
'canadianstickdeath' said: Did any of our members sign up using fake emails? New members should be relatively protected from this because of verification, but if you email doesn't exist, I could create it and... maybe we could force everyone to verify their emails before being able to log in again? Sounds like a pain, actually... | | canadianstickdeath |
Age: 35 Karma: 350 Posts: 2990 Gender: Male pm | email
|
Lol, don't do that. But there's a way to tell whether or not they exist, right? | | shos |
~Jack of all trades~
Age: 31 Karma: 389 Posts: 8273 Gender: Male Location: Israel pm | email
|
Lol i was about to post what csd said. then i read livio's answer, and that's pretty cool.
this is good
| | Livio |
Age: 31 Karma: 470 Posts: 9620 Gender: Male Location: Arizona, USA pm | email
|
'canadianstickdeath' said: Lol, don't do that. But there's a way to tell whether or not they exist, right? other than sending them an email? I don't know, maybe I should look it up...
I just looked it up and it turns out there is a way to check if an email exists using php and without having to send them mail. I should probably try that on all of the users emails to see how many of them don't exist. And I could probably add that check to the register page too.
Btw, I looked at how dekudude runs the password-rest system on his site, and he sends two emails: one confirming whether you want to reset your password, and then another that actually resets it. Maybe doing it like that would be theoretically more secure because you wouldn't have two passwords at any one time... | | imtimi |
5 x 6 = ?
Karma: 57 Posts: 167 Gender: Male pm | email
|
I swear, Livio, you always code things beyond necessary. Why don't you just use the standard "forgot your password" system and make it so that the currently used password of the account is sent to the email address? There's no need to mix things up with a reset password. But, uh, yeah, email verification was a good implementation. | | Livio |
Age: 31 Karma: 470 Posts: 9620 Gender: Male Location: Arizona, USA pm | email
|
'imtimi' said: I swear, Livio, you always code things beyond necessary. While that may be true, it's just that passwords are so secure that I cannot retrieve them from the database. They are encoded into some code, and there is no way to decode them (and that's the point of the system). | | |
« Forum Index < News and AnnouncementsIn order to post in the forums, you must be logged into your account. Click here to login.
|