Comments on: CakePHP :: Forgotten Password http://frodosghost.com/2009/07/07/cakephp-forgotten-password/ Following the Footsteps of Heros, Never Lead to the Straight and Grey Roads. (Oh, Sleeper) Fri, 07 May 2010 06:10:10 +0000 hourly 1 http://wordpress.org/?v=3.0 By: Joseph Le Brech http://frodosghost.com/2009/07/07/cakephp-forgotten-password/comment-page-1/#comment-230 Joseph Le Brech Tue, 23 Feb 2010 10:41:40 +0000 http://frodosghost.com/?p=286#comment-230 There's a way to reset password by sending a ticket link rather than a new password, that way the email is confirmed, and the password is only changed once the user has recieved the email. http://edwardawebb.com/programming/php-programming/cakephp/reset-lost-passwords-cakephp btw your code is all showing up on one line. There’s a way to reset password by sending a ticket link rather than a new password, that way the email is confirmed, and the password is only changed once the user has recieved the email.

http://edwardawebb.com/programming/php-programming/cakephp/reset-lost-passwords-cakephp

btw your code is all showing up on one line.

]]> By: neel http://frodosghost.com/2009/07/07/cakephp-forgotten-password/comment-page-1/#comment-217 neel Mon, 11 Jan 2010 08:27:32 +0000 http://frodosghost.com/?p=286#comment-217 Nice trick dude. it helps me alot while creating forgot password page in my project. thanks for sharing it here. Nice trick dude. it helps me alot while creating forgot password page in my project. thanks for sharing it here.

]]> By: James http://frodosghost.com/2009/07/07/cakephp-forgotten-password/comment-page-1/#comment-160 James Wed, 22 Jul 2009 11:24:16 +0000 http://frodosghost.com/?p=286#comment-160 Actually it is because the passwords are hashed that we need the edit function. It is not secure to store un-hashed passwords. Actually it is because the passwords are hashed that we need the edit function. It is not secure to store un-hashed passwords.

]]> By: jessa http://frodosghost.com/2009/07/07/cakephp-forgotten-password/comment-page-1/#comment-159 jessa Wed, 22 Jul 2009 07:30:55 +0000 http://frodosghost.com/?p=286#comment-159 what if there's no edit function? what if the password is hash? what if there’s no edit function? what if the password is hash?

]]> By: kodegeek http://frodosghost.com/2009/07/07/cakephp-forgotten-password/comment-page-1/#comment-156 kodegeek Tue, 14 Jul 2009 10:15:33 +0000 http://frodosghost.com/?p=286#comment-156 it's a good post but there is a chance of flooding/security hole. Let somehow anybody knew others email address, he can reset others password by submitting forgot password stuff. So password should be rest upon confirmation from email address. i think so! it’s a good post but there is a chance of flooding/security hole. Let somehow anybody knew others email address, he can reset others password by submitting forgot password stuff. So password should be rest upon confirmation from email address. i think so!

]]> By: Tim Cinel http://frodosghost.com/2009/07/07/cakephp-forgotten-password/comment-page-1/#comment-155 Tim Cinel Tue, 14 Jul 2009 05:15:36 +0000 http://frodosghost.com/?p=286#comment-155 Nice solution James, simple and elegant. ElbertF's idea is good but the email would need to stress the user NOT to click the link unless they requested a new password. Nice solution James, simple and elegant.

ElbertF’s idea is good but the email would need to stress the user NOT to click the link unless they requested a new password.

]]> By: James http://frodosghost.com/2009/07/07/cakephp-forgotten-password/comment-page-1/#comment-151 James Tue, 07 Jul 2009 04:38:39 +0000 http://frodosghost.com/?p=286#comment-151 Could do that. Most of the time though I use the email as the username. If that is the case all you need do is aquire someones username, and change their password. The email does provide that sense of security. Unless, on a second read, you confirm the new password in an email? Could do that. Most of the time though I use the email as the username. If that is the case all you need do is aquire someones username, and change their password.

The email does provide that sense of security.

Unless, on a second read, you confirm the new password in an email?

]]> By: ElbertF http://frodosghost.com/2009/07/07/cakephp-forgotten-password/comment-page-1/#comment-150 ElbertF Tue, 07 Jul 2009 04:35:45 +0000 http://frodosghost.com/?p=286#comment-150 You could eliminate a step: 1. Click "I forgot my password" 2. Enter your username and a new password 3. Confirm new password via e-mail This way you don't have to login with a temporary password and then change it again. I guess a problem would be if someone clicks "confirm" but didn't request the new password himself, the other would have access to his account. You're probably better off protecting people from their own stupidity. :) You could eliminate a step:

1. Click “I forgot my password”
2. Enter your username and a new password
3. Confirm new password via e-mail

This way you don’t have to login with a temporary password and then change it again.

I guess a problem would be if someone clicks “confirm” but didn’t request the new password himself, the other would have access to his account. You’re probably better off protecting people from their own stupidity. :)

]]>