Gossamer Forum: Products: DBMan: Customization: Password Lookup alternative?

User (297 posts)

Jun 25, 2000, 2:58 AM

Post #1 of 32

Shortcut

Password Lookup alternative?

Hi! I just read one of the recent post on password lookup. I was wondering if anyone can help me figure out how to do the following:
1)Allow users to signup with their choice of password.
2)Give immediate access once they signup.
3)My login form only has 2 fields: StudentID and password and no email address.
4)If users forget their password, they can then retreive thier password through email. The thing is that after the user signup, they have to add a record to the database and one of the fields in the database requires them to enter a email address.

I hope I was clear. By the way, this script is one of the best database scripts I found on the web and not to mention the swell support I have gotten so far from this forum. :)

Julian

Jun 25, 2000, 3:03 AM

Veteran / Moderator (8669 posts)

Jun 25, 2000, 3:03 AM

Post #2 of 32

Shortcut

Re: Password Lookup alternative? In reply to

I can rewrite the password lookup mod if you want.

Would you like the users to be sent their original password instead of a new one? It would mean that you would have to keep the passwords unencrypted on your server. I have an old mod I wrote a long time ago that does that. I pulled it from the list after a client of mine had his entire database trashed by someone who got hold of the .pass file. But if you want to take the risk, I'll give you the code.

JPD
http://www.jpdeni.com/dbman/

Jun 25, 2000, 3:09 AM

User (297 posts)

Jun 25, 2000, 3:09 AM

Post #3 of 32

Shortcut

Re: Password Lookup alternative? In reply to

Hi! Thanks for the prompt reply. Yes, I would very much appreciate if you can rewrite the password mod. And I want to send a new password which can be encrypted to the user.

Thanks alot!

Julian

Jun 25, 2000, 4:01 AM

Veteran / Moderator (8669 posts)

Jun 25, 2000, 4:01 AM

Post #4 of 32

Shortcut

Re: Password Lookup alternative? In reply to

Well, I went on the assumption that you wanted an unencrypted password -- that's what I get for assuming -- so I've got that mod written.

It's very late where I am, so I'll have to write the one you really want tomorrow (later today!).

JPD
http://www.jpdeni.com/dbman/

Jun 25, 2000, 11:15 AM

Stealth

Veteran (17240 posts)

Jun 25, 2000, 11:15 AM

Post #5 of 32

Shortcut

Re: Password Lookup alternative? In reply to

donm did re-post the un-encrypted version and posted the URL in this forum awhile back (like three months ago).

Regards,

Eliot Lee

Jun 25, 2000, 2:35 PM

Veteran / Moderator (8669 posts)

Jun 25, 2000, 2:35 PM

Post #6 of 32

Shortcut

Re: Password Lookup alternative? In reply to

Yeah, but there were a lot of flaws in that script. I got it from Don's site and used it as a basis for the one I wrote last night.

Once I get the current crop of questions answered, I'll be back with this.

JPD
http://www.jpdeni.com/dbman/

Jun 25, 2000, 4:13 PM

Veteran / Moderator (8669 posts)

Jun 25, 2000, 4:13 PM

Post #7 of 32

Shortcut

Re: Password Lookup alternative? In reply to

Okay. I have a new password lookup mod written. It does not require the user to enter an email address at the time of signup (given that the user enters their address in the .db file). It allows the user to choose his or her own password, but it does not verify that the email address is valid. The passwords are encrypted, so that when the user requests a lookup, a new password is generated and mailed to the address in the .db file. The user can enter either his or her email address or username on the lookup form.

You can pick up the mod at http://www.jpdeni.com/...semi_secure_look.txt. Please let me know how it works for you. I haven't tested the mod, so I don't want to put it into the Resource Center as yet.

JPD
http://www.jpdeni.com/dbman/

Jun 26, 2000, 6:24 AM

User (297 posts)

Jun 26, 2000, 6:24 AM

Post #8 of 32

Shortcut

Re: Password Lookup alternative? In reply to

Opps... Looks like I made another boo-boo with my message. Actually, what I would like is an encrypted password. Like what you suggested in your reply, a new encrypted password would be sent to the user if he or she forgot the old one.

Sorry about the misunderstanding.

Julian

Julian

Jun 26, 2000, 6:26 AM

User (297 posts)

Jun 26, 2000, 6:26 AM

Post #9 of 32

Shortcut

Re: Password Lookup alternative? In reply to

Thanks alot. I'm going to try it out now and let you know the result.

Julian

Julian

Jun 26, 2000, 7:48 AM

User (297 posts)

Jun 26, 2000, 7:48 AM

Post #10 of 32

Shortcut

Re: Password Lookup alternative? In reply to

Yup. I tested it out. The only minor problem was that you added an extra ) on one of the lines. Which is shown below:

$mailtext .= "Your $db_name User ID is: $data[$auth_user_field])\n";

The line was found in the new subroutine called sub_lookup in the file for db.cgi

Other than that, it is working like a charm. A million, trillion, zillion, thanks to you. (kisses your feet!) :)

Julian

Jun 26, 2000, 3:16 PM

Veteran / Moderator (8669 posts)

Jun 26, 2000, 3:16 PM

Post #11 of 32

Shortcut

Re: Password Lookup alternative? In reply to

Wonderful! Thank you for letting me know about the error. It's that kind of thing that can really cause problems, but is hard to see.

I'm glad I could help.

In Reply To:

(kisses your feet!) :)

Good thing I just got out of the shower!!! Wink

JPD
http://www.jpdeni.com/dbman/

Jun 26, 2000, 8:52 PM

User (324 posts)

Jun 26, 2000, 8:52 PM

Post #12 of 32

Shortcut

Re: Password Lookup alternative? In reply to

Do you think there is any way to convert the sub lookup {
routine to SQL format? That would rule!

Jun 26, 2000, 10:49 PM

Veteran / Moderator (8669 posts)

Jun 26, 2000, 10:49 PM

Post #13 of 32

Shortcut

Re: Password Lookup alternative? In reply to

Probably. I'll be considering creating mods for DBMan-SQL when (if) I ever get done with my current list of things to do.

JPD
http://www.jpdeni.com/dbman/

Jun 27, 2000, 2:17 PM

User (324 posts)

Jun 27, 2000, 2:17 PM

Post #14 of 32

Shortcut

Re: Password Lookup alternative? In reply to

This mod is excellent! What should I use to allow the customer to change their password after they log in? Are there other subroutines that will work ?

Jun 28, 2000, 12:36 AM

Veteran / Moderator (8669 posts)

Jun 28, 2000, 12:36 AM

Post #15 of 32

Shortcut

Re: Password Lookup alternative? In reply to

You could use the Change Password mod at http://www.jpdeni.com/...s/secure_lookup.html. (Don't forget to pick up the correct html code as well.)

You'll need to change two lines in the mod.

Delete the text in red below:

($userid, $pw, $view, $add, $del, $mod, $admin, $email) = split (/:/, $found);

and

print PASS "$userid:$encrypted:$view:$add:$del:$mod:$admin:$email\n";

JPD
http://www.jpdeni.com/dbman/

Jul 10, 2000, 1:17 PM

User (324 posts)

Jul 10, 2000, 1:17 PM

Post #16 of 32

Shortcut

Re: Password Lookup alternative? In reply to

Hehe, guess what. A user could search "admin" or the admin's email address. Although this will not send the email to the user, it does change the admin's password.

Is there a way to modify sub lookup { to check for the admin permission. If the admin permission is there, then DONT make the password change.

Temporarily, I changed it to this:
unless ($in{'lookup'} eq "admin" or $in{'lookup'} eq $db_admin_email) {
if ((lc($in{'lookup'}) eq lc($data[3])) or ($in{'lookup'}eq $data[0])) {
$found=1;
last;
}
}

Any ideas?

Jul 10, 2000, 2:48 PM

Veteran / Moderator (8669 posts)

Jul 10, 2000, 2:48 PM

Post #17 of 32

Shortcut

Re: Password Lookup alternative? In reply to

That would work. Another way would be

unless ($data[6]) {

Of course, this would mean that anyone with admin permission would not be able to do a lookup.

The only real way to prevent users from maliciously changing someone else's password is to write the new one to a different file. Then, when they log in, the script would have to look in both files. If it's in the temporary file, it would overwrite the line in the permanent file. Either way, it would be deleted from the temporary file. But that would be really complicated to do.

Although it would be a pain for the user, the simple way to do it would be for the user whose password had been changed to do another lookup and get another password. No one would be prevented from entering the database and no one would get a password to anyone else's account.

JPD
http://www.jpdeni.com/dbman/

Jul 10, 2000, 4:33 PM

User (324 posts)

Jul 10, 2000, 4:33 PM

Post #18 of 32

Shortcut

Re: Password Lookup alternative? In reply to

Hmmm.. that doesn't work because of the area that I put the unless code in. $data[6] would be looking at field 7 in the .db file instead of the .pass file.

Aha! I think I have a solution, in the area that it looks at the .pass file I added a new section:

unless ($data[6]) {
&html_lookup_form("Not authorized to lookup $data[0]");
return;
}

That seems to work great!

Jul 11, 2000, 2:50 PM

User (324 posts)

Jul 11, 2000, 2:50 PM

Post #19 of 32

Shortcut

Re: Password Lookup alternative? In reply to

Man, I suck. I was wrong, my code does not work. The $data[6] stuff is looking at the .db file instead of the .pass file.

I've spent a good amount of time on this and can't seem to come up with a statement that checks for the admin permission. And help would be appreciated.

Jul 11, 2000, 3:15 PM

Veteran / Moderator (8669 posts)

Jul 11, 2000, 3:15 PM

Post #20 of 32

Shortcut

Re: Password Lookup alternative? In reply to

I don't know what code you already have, so I can't tell you how to fix it. Post your code (if it's short) or let me see the db.cgi file and I'll see what I can come up with.

JPD
http://www.jpdeni.com/dbman/

Jul 11, 2000, 3:18 PM

User (324 posts)

Jul 11, 2000, 3:18 PM

Post #21 of 32

Shortcut

Re: Password Lookup alternative? In reply to

Code:

sub lookup {
# --------------------------------------------------------
my $found = 0;
my $passfound = 0;
my ($line,@lines,$passline,@passlines,$message,@passdata,$outline);

$db_customer_file_name = $db_script_path . "/secure/customer.db";
open (DB, "<$db_customer_file_name") or &cgierr("error in lookup. unable to open db file: $db_file_name.\nReason: $!");
if ($db_use_flock) { flock(DB, 1); }
@lines = <DB>;
close DB;
foreach $line (@lines) {
chomp $line;
@data = &split_decode($line);
if ((lc($in{'lookup'}) eq lc($data[3])) or ($in{'lookup'}eq $data[0])) {
$found=1;
last;

}
}
unless ($found) {
&html_lookup_form("No record found for $in{'lookup'}");
return;
}

open (PASS, "<$auth_pw_file") or &cgierr ("unable to open: $auth_pw_file.\nReason: $!");
if ($db_use_flock) { flock(PASS, 1) }
@passlines = <PASS>;
close PASS;
foreach $passline (@passlines) {
if ($passline =~ /^$data[0]:/) {
$passfound = $passline;
}
else {
$output .= $passline;
}
}

unless ($data[6]) {
&html_lookup_form("Not authorized to lookup $in{'lookup'}");
return;
}

unless ($passfound) {
&html_lookup_form("$data[0] not found in password file");
return;
}

my $password = &generate_password;

srand( time() ^ ($$ ($$ << 15)) ); # Seed Random Number
my @salt_chars = ('A' .. 'Z', 0 .. 9, 'a' .. 'z', '.', '/');
my $salt = join '', @salt_chars[rand 64, rand 64];
my $encrypted = crypt($password, $salt);

chomp $passfound;
@passdata = split (/:/, $passfound);

@passdata[1] = $encrypted;
$outline = join ':',@passdata;
$output .= $outline . "\n";

open (PASS, ">$auth_pw_file") or &cgierr ("unable to open: $auth_pw_file.\nReason: $!");
if ($db_use_flock) {
flock(PASS, 2) or &cgierr("unable to get exclusive lock on $auth_pw_file.\nReason: $!");
}
print PASS $output;
close PASS;

$newpassword = $password;

#$message = $mailtext;
if ($db_on_NT) {
require $db_script_path . "/secure/Mailer.pm";
&send_lookup_pass_smtp;
}
else {
&send_lookup_pass_sendmail;
}

&html_lookup_success($message);
}

Jul 11, 2000, 3:28 PM

Veteran / Moderator (8669 posts)

Jul 11, 2000, 3:28 PM

Post #22 of 32

Shortcut

Re: Password Lookup alternative? In reply to

I see a couple of problems.

Code:

foreach $passline (@passlines) {
@data = split /:/, $passline;
if ($passline =~ /^$data[0]:/) {
unless ($data[6]) {
&html_lookup_form("Not authorized to lookup $in{'lookup'}");
return;
}
$passfound = $passline;
}
else {
$output .= $passline;
}
}
unless ($passfound) {
&html_lookup_form("$data[0] not found in password file");
return;
}

JPD
http://www.jpdeni.com/dbman/

Jul 11, 2000, 4:17 PM

User (324 posts)

Jul 11, 2000, 4:17 PM

Post #23 of 32

Shortcut

Re: Password Lookup alternative? In reply to

Hmmm,

With this code, I get a 500 error:
malformed header from script. Bad header=1... User unknown

When I switched it to:
@data2 = split(/:/, $passline);
if ($passline =~ /^$data[0]:/) {
unless ($data2[6]) {

The error went away, but it still let me look up users with admin permission, which tells me that my code is still not searching that permission field properly.

Jul 12, 2000, 7:47 AM

Veteran / Moderator (8669 posts)

Jul 12, 2000, 7:47 AM

Post #24 of 32

Shortcut

Re: Password Lookup alternative? In reply to

Make sure that your line

srand( time() ^ ($$ + ($$ << 15)) ); # Seed Random Number

is correct. In the code you posted above, there was a missing +.

Let's try this again.

Code:

foreach $passline (@passlines) {
if ($passline =~ /^$data[0]:/) {
$passfound = $passline;
@data2 = split /:/, $passline;
if ($data2[6]) {
&html_lookup_form("Not authorized to lookup $in{'lookup'}");
return;
}
}
else {
$output .= $passline;
}
}

I don't know what I was thinking before. I had things backwards.

JPD
http://www.jpdeni.com/dbman/

Jul 12, 2000, 8:56 AM