Skip to content
  • Leigh B. Stoller's avatar
    New pages to allow users to reset their forgotten passwords without · 315e11ab
    Leigh B. Stoller authored
    invovling testbed ops. Split into two parts:
    
    * password.php3 gives the user a form to specify their email address
      and their phone number. We look for a match in the DB, with the
      phone number stripped of all non-numeric characters and the email
      addresses lowercased. If we find a matching user in the database,
      generate a unique key and store that into the DB along with a
      timestamp that allows the key to be used for a short time period
      (currently 30 minutes). The key is split into two parts, with half
      stored in the users browser (secure mode), and the other half sent
      to the user in an email message that contains a URL that allows the
      user to reset their password.
    
    * chpasswd.php3 does the rest of the operation. It takes half the key
      from the URL, and sucks the other half from the user's browser,
      combining the two halves and matching it against the key that is
      stored in the DB. If the key matches and the timeout has not
      expired, the user is given a form to specify a new password. From
      this point on its just a standard change password operation.
    
    Both pages are audited with email sent to the user, tbops and the
    audit list.
    315e11ab