Hi All...just a general question for those using Dbman 204 with signup option activated.
On my site I have a continous problem with registered parties having differculty logging on...I've made it as easy as possible but the problem persists...I was wondering if any other users were experiencing the same problem or is there a in-consistant weakness within the script? your input is appreicated..thank Rob

What problems are they having? I haven't known of any problems unless the user has entered a username or password incorrectly. Are they entering it correctly and still having problems?


------------------
JPD

Hi Carol...That's a good question...when I get a logon problem emailed to me, I logon using there User ID and Password and all seems fine, however the fact that the same person encounters repeated problems concerns me. I get 4 to 5 reported problems a day...certianly people are capable of entering a simple User ID and Password correctly. Thanks Rob

One would think.

I don't think a lot of people understand that both the password and the userid are case-sensitive. Do you think it would be worthwhile to write something that would make it so they weren't?


------------------
JPD

Hi Carol...well you know I indicate that in my emails, but you know I really don't know whether a lot of users are even familiar with the term "case-sensitive"..if it wouldn't be to demanding ...I think it would be an excellent ideal as it would eliminate just one more error variable....another little idea just occurred to me, would it be possible add a User ID lookup similar to the Password Lookup...a person enters their email address and then their User ID
is emailed out...people just don't seem to hold on to these bits of data..I guess they accumulate so many User ID's and Passwords around the net..things just get to confusing...whta do you think...Rob

The mod sounds interesting. I, too, am tussling with the authorisation section of the script. I would like it to create a file containing the UserID, password (non-encrypted) and user's email address (to be requested in the html_signup_form as an additional field). This file could then be used as a lookup to return the UserID and Pwd when a user forgets it. It would also allow monitoring of multiple registrations by the same user. This is not as elegant as an automated solution, such as proposed by Benseb, but is probably sufficient for my requirements. Does anyone know how this should be done. I have tried to add the email field in the html, but it seems to screw up the log-in process. :-(
I would be keen to try the mod suggested by benseb.

Cheers

------------------
David Olley
david@afil.co.uk

A lot depends on how secure you want your site to be.

Making the username and password case-insensitive makes things a little less secure, in that passwords might be easier to guess. But I think that might be a reasonable risk to take.

The secure password lookup mod sends out both the userid and the password, so I'm not sure a new mod to just send out the userid is necessary.

If I understand Ben's modification, this is really pretty insecure. All I would need to do is enter anyone's email address that I knew was on the system and I would have access to their records. It might not be too bad if no one could figure out what the email addresses of users are, but since the addresses are unencrypted in the .pass file, anyone who might read the .pass file would have access to everyone's data. On the plus side, from what Ben said, an email is sent so that the person would be aware that someone else logged in using their email address.

David, I'm really gun-shy about having unencrypted passwords in any file after one of my clients had his entire database thrashed by a hacker. We were able to narrow it down to probably another user on his system who accessed the client's .pass file. (This is when I was still using my original password lookup mod that had the passwords unencrypted.)

I can work on a case-insensitive password lookup thing later today.


------------------
JPD

The password lookup mod (secure) that I just installed emails your UserID and a new Password....

As i hate people having to check their email before logging on, it then fills in the login form with the username and password. Obviously the password is ******* so they have to look at their email to logon in the future.

Would that help?

------------------
Ben

-------------------------
http:/www.t-e.co.uk

Hi all
I'm new to this forum so sorry to barge in. I've read this thread with great interest.
I use DBMAN for a classified ads section. After doing hard work translating/customizing DBMAN to French (Dutch is on the way) I'm stuck at the 'user forgot his password' problem.
Wouldn't a good compromise between having a random generated password sent by mail (so having to wait for it to arrive before being able to log in, wich can sometimes take ages because of server problems somewhere on the way) and the Admin having to reset the password, be that the user still chooses his password at sign-up, but has the option of having a random generated password sent by mail (so e-mail address required at sign up or no passwd. recovery) in case he/she forgets it?

Yes, you could do that. The reason I set it up the way I did was to be certain the user entered a valid email address.


JPD

Any hint on how this could be established with the existing secure passwd. lookup mod? (by skipping the random passwd. generation at sign up, I suppose)
I've been trying to do it by fiddling with the script but I broke more than I fixed so I removed it for the time being.

In sub html_signup, you'll need to add a field for the password:

In sub signup, uncomment the following lines:

so that they look like this:

In the same subroutine, delete the following:

If you don't want to send email to the user, delete from

open (MAIL, "$mailprog") || &cgierr("Can't start mail program");

through

close (MAIL);

That should do it.


JPD

Did what you told me to do, and it works like a charm ;o)

Thx,

Patrick

I'm glad I could help.


JPD