Gossamer Forum
Home : Products : Gossamer Forum : Discussion :

A revisit: Lost Password request by email

Quote Reply
A revisit: Lost Password request by email
I have read the threads on this subject that I could find ( primarily http://www.gossamer-threads.com/...orum.cgi?post=200949 and http://www.gossamer-threads.com/...orum.cgi?post=205223), but after finding no posts that seem to resolve this, I , too, will ask how I can modify the lost password request that will allow a user to retrieve the password by entering the email instead of the user name.

The original subroutine in GForum::User.pm:
Code:
$COMPILE{lost_password} = __LINE__ . <<'END_OF_SUB';
sub lost_password {
shift;
my ($do, $func) = @_;
my $page = $func->{page};
my $username = $IN->param('user_username');
my $user;
if ($username) {
my $User = $DB->table('User');
if ($user = $User->select({ user_username => $username })->fetchrow_hashref) {
my $temp_pass = random_password();
$User->update({ user_temp_pass => $temp_pass }, { user_id => $user->{user_id} });
if (my $error = send_temp_pass_email($user, $temp_pass)) {
die $error;
}
}
else {
return($page->{invalid_username} => { error => GForum::language('USER_INVALID_USERNAME', $username) });
}
}
else {
return($page->{enter_username});
}
return($page->{success}, $user);
}
END_OF_SUB


I changed references of "username" to "email", and "user_username" to "user_email", per the user table in the db.

I added a language var, naming it "USER_INVALID_USEREMAIL" with the text "%s is not a listed email address for a member of our forums."

I modified the template (lost_password_enter_username.html) in two places: changed "enter your user name" to "enter your email address" in the form, and replaced the "name" in "<input class="button" type="text" name="user_username">" with "<input class="button" type="text" name="user_email">"

To test it out, when I open the login page and then click on the link, /gforum.cgi?do=lost_password;), I get an internal server error; the error log states a premature end of script headers error in gforum.cgi.

Have I missed something? Is there something else I need to modify?

For your perusal, the subroutine as I modified it:
Code:
$COMPILE{lost_password} = __LINE__ . <<'END_OF_SUB';
sub lost_password {
shift;
my ($do, $func) = @_;
my $page = $func->{page};
my $useremail = $IN->param('user_email');
my $user;
if ($useremail) {
my $User = $DB->table('User');
if ($user = $User->select({ user_email => $useremail })->fetchrow_hashref) {
my $temp_pass = random_password();
$User->update({ user_temp_pass => $temp_pass }, { user_id => $user->{user_id} });
if (my $error = send_temp_pass_email($user, $temp_pass)) {
die $error;
}
}
else {
return($page->{invalid_email} => { error => GForum::language('USER_INVALID_USEREMAIL', $useremail) });
}
}
else {
return($page->{enter_email});
}
return($page->{success}, $user);
}
END_OF_SUB


Thanks in advance for any insight.
Winners never quit, and Quitters never win, and those who never ever win and never quit are called Idiots.
Quote Reply
Re: [WhiteHat] A revisit: I'll keep it short In reply to
Since my longwinded question received neither a response nor an answer, I'll ask it simply:

What does one have to modify in the so that a person can enter his/her e-mail address instead of the user name when he/she requests a lost password?

The question is simple. Any responses out there?
Quote Reply
Re: [WhiteHat] A revisit: I'll keep it short In reply to
I would like this function too. It was hinted that it would be available soon...it was unclear whether it's going to be in 1.2.0 or v2.....I do see that one of us here has done this already...

http://www.realiiity.com/...cgi?do=lost_password;

maybe ellipsiiis could help us out...

Dave
Quote Reply
Re: [bretzke] A revisit: I'll keep it short In reply to
hello

The best way for thsi Funktion ist to make possible that the User can send neu Passwort after entry Username or email adress.

The next Version must have this function, because many Users vorgotten the Username rather than his email adress

greeting hoefti
linktobuy Web Directory
Ratgeber Recht
Quote Reply
Re: [hoefti] A revisit: I'll keep it short In reply to
Hehe, I like your morphing of german and english words Wink
Quote Reply
Re: [Paul] A revisit: I'll keep it short In reply to
Hi Paul i like it too, but i hope anyone can undestand what i mean.

Nice Weekend
greeting hoefti
linktobuy Web Directory
Ratgeber Recht
Quote Reply
Retrieve password w/ e-mail address In reply to
Any progress on this with 1.2.0? I'd really like to implement this mod.

If users can't remember their password, their username is probably not far behind. Tongue
Quote Reply
Re: [ArmyAirForces] Retrieve password w/ e-mail address In reply to
You can turn on the option to not allow duplicate e-mails, in which case they'll be given their username if they try to sign up. The main problem here is that one e-mail address could be used for 50 different accounts; I don't think you'd want to e-mail _all_ of them.

Jason Rhinelander
Gossamer Threads
jason@gossamer-threads.com
Quote Reply
Re: [Jagerman] Retrieve password w/ e-mail address In reply to
I don't allow multiple accounts per address so that isn't an issue. I'm not sure a significant majority of Gforum installations would allow them either?

IHMO, it is more user friendly to have the lost password based on the e-mail address. I'm not familiar with any other forum package that doesn't.

From previous posts on the subject, it seemed to be a popular request. If anything, perhaps in 2.0.0 it would at least be an option? Otherwise, I'll hold out hope for somebody coding up a hack to 1.2.0.
Quote Reply
Re: [ArmyAirForces] Retrieve password w/ e-mail address In reply to
I don't allow multiple addresses either. I modified this sub in User.pm in 1.18
I also changed the templates for lost_password page remind_password.eml template.

remind_password.eml template:
Code:

Here is the <%site_title%> login reminder you requested:

Username: <%user_username%>
Password: <%user_password%>

Password hints:
Make sure you type your username and password correctly. All usernames and
passwords are (CaSe SeNsitIvE).

The forum can be found at:

<%cgi_root_url%>/gforum.cgi?do=login;user_username=<%GT::CGI::escape($user_username)%>

Here is sample page:
http://www.ptcruiserclub.org/...cgi?do=lost_password;


Code:
# CRUZN8R modified to just send the password reminder instead of temporary password BS
$COMPILE{lost_password} = __LINE__ . <<'END_OF_SUB';
sub lost_password {
shift;
my ($do, $func) = @_;
my $page = $func->{page};
my $email = lc ($IN->param('user_email'));
my $user;

(!length $email) and return($page->{enter_username});
if ($email and $email =~ /.@(?:[a-zA-Z0-9][a-zA-Z0-9-]*\.)+[a-zA-Z0-9][a-zA-Z0-9-]*$/ ) {

my $User = $DB->table('User');
if ($user = $User->select({ user_email => $email })->fetchrow_hashref) {
}
else {
return($page->{enter_username} => { error => GForum::language('USER_WRONG_EMAIL', $email) });
}
}
else {
return($page->{enter_username} => { error => GForum::language('USER_EMAIL_BAD_SYNTAX', $email) });
}
# send the reminder email
_send_email("remind_password.eml", $user);
return($page->{success}, $user);
}
END_OF_SUB

----------
Michael J. Challis - CRUZN8R - PT Cruiser Club - http://www.ptcruiserclub.org

http://www.ptcruiserclub.org/forum

Last edited by:

CRUZN8R: May 25, 2003, 8:21 PM
Quote Reply
Re: [CRUZN8R] Retrieve password w/ e-mail address In reply to
Wouldn't work for me. Is there anything in the sub that is mySQL specific? I'm running MSSQL.
Quote Reply
Re: [ArmyAirForces] Retrieve password w/ e-mail address In reply to
I use MySql, not sure if that has anything to do with this code. What error do you get?

I am using clear text passwords. Some people use encrypted. This might only work for clear text passwords as coded.

For this mod, I installed the code in my post above and modified the lost_password_enter_username.html to input the e-mail instead of username:

Code:

10c10
< your password. It requires you to enter your username.
---
> your password. It requires you to enter your email.
36a37,39
> <%if error%>
> <%body_font%><font color=red><%error%><%/body_font%> <%body_font%>
> <a href="<%cgi_root_url%>/gforum.cgi?do=user_signup;">Click here if you need to register</a>
> <br><br><%/body_font%>
> <%endif%>
47,50c50
< If you have lost your password, <%site_title%> can generate a new temporary
< password for you to log in with. Note that after logging in the temporary
< password will be lost so you should change your password immediately upon
< logging in with the temporary password. The temporary password will be sent
---
> If you have lost your password, <%site_title%> can sent it to you. Your password will be sent
58c58
< Enter your username:
---
> Enter your email address:
62c62
< <input class="button" type="text" name="user_username">
---
> <input class="button" type="text" name="user_email">
67c67
< <input class="submit" type="submit" value="Send temporary password">
---
> <input class="submit" type="submit" value="Send password">

Also added two language vars:

'USER_WRONG_EMAIL'
=> '%s does not match an e-mail in our forum registry. Perhaps you have not registered before, or this is not the e-mail you registered with.'

'USER_EMAIL_BAD_SYNTAX' => 'You did not enter a valid email format.',

Hope this helps. When you start making changes you kind of have to troubleshoot as you go. It is common to make a typo, once you see the error, then make the change to fix it. Some people won't want to dabble in the programming. I always backup the original file before I change it. I also have a developement server setup on my local network so I don't break my live server when testing something new.


----------
Michael J. Challis - CRUZN8R - PT Cruiser Club - http://www.ptcruiserclub.org

http://www.ptcruiserclub.org/forum

Last edited by:

CRUZN8R: May 25, 2003, 11:00 PM
Quote Reply
Re: [CRUZN8R] Retrieve password w/ e-mail address In reply to
I'm using the encrypted passwords since the setup page "Strongly" encourages you to do so. Wink

And it can't be changed without breaking all the old passwords.

I didn't get any error code, it just cycled back to the same page. I know didn't change the name="user_email"[/url] so I'll fix that and see what it does. I'll try to play with it later tonight and see if it makes a difference.
Quote Reply
Re: [ArmyAirForces] Retrieve password w/ e-mail address In reply to
Note that the perl function crypt is intended to be a one-way function, much like breaking eggs to make an omelette. There is no (known) corresponding decrypt function.

I guess if I needed to change the GForum passwords to clear text midstream I would write a script to give each user a temporary password and send an e-mail asking them to log in to change it. If I was to use such a script I would back up my database first and test on my developement server before using it. Fortunately I have not had to do that because I made the decision at install to only use clear text passwords because I wanted to use my feature mod to e-mail the passwords to the user upon request and I only allow one user per email address to that can be utilized.

----------
Michael J. Challis - CRUZN8R - PT Cruiser Club - http://www.ptcruiserclub.org

http://www.ptcruiserclub.org/forum

Last edited by:

CRUZN8R: May 26, 2003, 10:45 AM
Quote Reply
Re: [CRUZN8R] Retrieve password w/ e-mail address In reply to
In Reply To:
Note that the perl function crypt is intended to be a one-way function, much like breaking eggs to make an omelette. There is no (known) corresponding decrypt function.

It's actually using an MD5-crypt scheme, which is far more reliable and much harder to break than a crypt() one (although the crypt() one is simultaneously supported - for example, any password that hasn't been changed since we moved from WWWThreads to GForum is still stored as crypt()). That said, the purpose of the temporary password is that a new password can be set without worrying about changing the old one. We could have done without it, but that would mean that _anyone_ can set a new password on your account, which could be quite annoying.

I've got a couple issues still needing to be checked out with 1.2.0, but I'll see if I can whip something up later today that provides this functionality.

Jason Rhinelander
Gossamer Threads
jason@gossamer-threads.com
Quote Reply
Re: [bretzke] A revisit: I'll keep it short In reply to
Sorry, I usually don't read threads that I don't need an answer for myself...

I did it by hacking the script itself, which they don't like you to do.

All I did was change this line:
if ($user = $User->select({ user_username => $username })->fetchrow_hashref) {

to

if ($user = $User->select({ user_email => $username })->fetchrow_hashref) {

I left everything else (including the variable name on the form) the same.


Realiiity.com Forums
Quote Reply
Re: [ellipsiiis] A revisit: I'll keep it short In reply to
Ellipsiiis....

That works like a charm!

I'm using the md5 encryption, and that simple little tweak was all that was needed

Quote:
I left everything else (including the variable name on the form) the same


Well, one should change the template to show something like "Enter the email address with which you registered:"

One other thing that I did do was change the error language var in User.pm to INVALID_USER_EMAIL, which I referenced in the first post of this thread.

In testing it a half-dozen times, I found one thing to be really odd. When I received the emails with the new temp passwords, a period . was used for one of the temp password characters one time and in two other emails a parenthesis ) was used as a password character. I thought the passwords needed to be alpha-numeric. IMHO, I think they ought to be.

All in all, THANKS!

Winners never quit, and Quitters never win, and those who never ever win and never quit are called Idiots.