1. 09 Nov, 2005 1 commit
  2. 10 Dec, 2003 1 commit
    • Leigh B. Stoller's avatar
      New pages to allow users to reset their forgotten passwords without · 315e11ab
      Leigh B. Stoller authored
      invovling testbed ops. Split into two parts:
      
      * password.php3 gives the user a form to specify their email address
        and their phone number. We look for a match in the DB, with the
        phone number stripped of all non-numeric characters and the email
        addresses lowercased. If we find a matching user in the database,
        generate a unique key and store that into the DB along with a
        timestamp that allows the key to be used for a short time period
        (currently 30 minutes). The key is split into two parts, with half
        stored in the users browser (secure mode), and the other half sent
        to the user in an email message that contains a URL that allows the
        user to reset their password.
      
      * chpasswd.php3 does the rest of the operation. It takes half the key
        from the URL, and sucks the other half from the user's browser,
        combining the two halves and matching it against the key that is
        stored in the DB. If the key matches and the timeout has not
        expired, the user is given a form to specify a new password. From
        this point on its just a standard change password operation.
      
      Both pages are audited with email sent to the user, tbops and the
      audit list.
      315e11ab