I would like that the user after clicking on the registration link sent via email (after the complete the registration form), log-in automatically without that he must enter your username and password.
How can I do?
Thanks in advance
That is a security issue. You should verify the appropriate person received the email by asking for credentials. At most, you could probably store email in local storage/cookie and retrieve it on the login page. But please dont auto login.
Related
I am faced with a beautiful enigma. In wordpress I have a widget that allows you to login with social login (google and facebook). When you login for the first time, the system automatically generates a password and username. This works well. I checked the database and password is correctly present as hashed.
Now, the problem is that if the user goes into profile settings and wants to change their password they have to enter current password first, but they can't know it since it was generated automatically.
I would like to give the user full control over the security of his account, so that he can change his password even if he is logged in with the social login.
So I foresee three possible solutions
Allow the password to be changed without entering the current one (but it seems insecure).
Email the automatically generated password (and I have no idea how I could do it). Or alternatively view it in the user's profile but I don't know how safe it is.
Disable social login and rely on the classic registration :)
Has anyone faced a similar situation before? Can you clarify this with some standard method / practice ?
You can allow the user to ask for a new password he/she specifies. The user will specify the password twice (password and confirm password fields) and then you:
encrypt the password the user asked for
store the encrypted value somewhere as password candidate (metadata, perhaps)
send an email to the user so he/she can confirm that he/she indeed asked for a password
once the user clicks on the link you have sent to him/her, replace the value of the password with the password candidate and remove the password candidate
Don't forget that the user is already logged in when he/she changes his/her password, adding an email validation to the password he/she asked for is pretty safe.
In Visual Studio 2017, if you create a new ASP.NET Core Web Application (Razor Pages) configured to use Individual user accounts and Store user accounts in- app, the "Forgot password" flow is as follows.
User goes to login page
User click "Forgot your password?"
User enter email address and click "Submit"
An email is sent to the user with a link to reset password. This link contains the user id (Guid), and a code used for reset.
User click link and is taken to the "Reset password" page.
User enter Email, Password and Confirm password and click Reset.
Password is then reset.
My question is if there is some specific reason the user is requested to enter his email in step 6, considering that the user id is already in the URL. The reset password page could look up the user by the id and not ask for the email address.
I assume it's a security-feature, in case someone intercepts the link. But intercepting the link would likely mean intercepting the email containing the link, and then the users email would be known anyway. So I feel like I am missing something.
Sounds like a security issue to me.
Even though you could look up the user id, show them their email and that would be a better user-experience; it's slightly more secure to have the user enter his/her email again with the code for reset. This way the password reset still contains something you know and something you have to authenticate the user during the password reset process. The something you know is the email address, the something you have is the reset code (and possibly the user id).
If email is not required, and an attacker somehow got a hold of the reset password information but didn't know the user's email address, the attack would be able to use the guid & reset code to reset the password.
If email is required and the attacker does not know the email address then the attacker wouldn't be able to reset the password with just the reset information (user id/code).
Password reset, isn't really used that often and doesn't really have to be the most user-friendly part of your website. Better to be more secure.
I am using wp-members plugin for user registration and login. But I have to send a verification link in mail when user registers. How can I do that?
you can also use theme my login so you can easily achiv this.
Require users to be approved or confirm e-mail address upon registration
one of this plugin options
I have logged in using the information provided during installation by using the normal login page but it says
Login was unsuccessful. Please correct the errors and try again.
The credentials provided are incorrect
From where i can go to administrator page link???
First of all check the [Customer] table in your database. check the user name or email id that are correct or not...
If they are correct then use forgot password link at the login page.
Might be your login name or password was wrong....
Open the table Customer in SQL database and find the Built-in system user whose email = "builtin#search_engine_record.com".
The Id is 7 in nopCommerce 4.0.
By default this user is active.
Set it Active = False.
Login and you will see the Administrator Link at the top of the page.
You can try to reset the password with through SQL in Customer Table, please make sure you make PasswordSalt as Null. After resetting the password. Refresh your page and enter password and after you logged in then you can see a link to Administration on top
net website, i would like to implement forget password. I am using following steps
Form having input box for login Id and email Id and CAPTCHA
when user enter details and submit, at backend after validation new password is generated and replaced old password at database.
New passowrd is send to user at email.
Please help me whether i am doing right or not?
Is there any other secure mechanism for the same?
[EDIT]
Thanks, i got your reply. Really this is a secure mechanism. But here i have few doubt
What message should i shown to user when he enter loginId and email address at forgotten password page?
Whether message would be same for valid user and mallicious user?
Advantage of using CSRF token? Any help / link
When user click on link then what should i do; because as i guess user should automatically loggin into their account -then after that i have 2 choice (first) send new password automatically to user (second) new form will shown to user where user will enetr old password and new password twice?
Please help?
I can see why you'd want a CAPTCHA, but I'd take a different approach.
When a password reset is requested check that a reset has not already been requested for that account within the last X minutes. If a password has already been requested ignore the reset request.
Check the IP requesting the password reset. If that IP has requested a password reset in the last Y minutes ignore the request.
If the checks in 1 & 2 pass check the account exists. If it doesn't ignore the request.
If we've gotten this far generate a one time token, which expires in Z minutes and a password reset URL which encompasses this token. Email this to the registered email address. When the URL is loaded prompt for a new password and reset.
For those who believe that you should tell the user where the email has gone I strongly disagree. This is "information leakage", even if you do limit it to the domain name. For example say I've registered on JeffAtwoodEatsBabies.com as blowdart. If Jeff had requested a password reset for me and you showed the registration domain then he'd see idunno.org. This is my personal domain and thus Jeff would know the blowdart user is, in fact, me. This is a bad bad thing. I should not have to register using hotmail or gmail or whatever in order to protect myself from your code showing an email domain to all and sundry.
In addition you shouldn't be showing error messages at all. No matter what happens, a username is not actually registered, or too many requests have been made or the sky has fallen you should be telling the user that the password reset procedure has started. Informing a user that an account doesn't exist is more information leakage.
One final thing you could do is add a CSRF token to the reset request page, so it cannot be driven from other web sites.
Followup
So to answer your further questions.
What message you show is up to you. "Instructions for resetting your password have been emailed to the registered email for this account" is one idea, but really it's down to your audience.
Already addressed above.
Wikipedia is a good starting point. How you do it depends on your platform and is a complete other question! For ASP.NET you could look at my codeplex project, http://anticsrf.codeplex.com or look at ViewStateUserKey.
When the link is clicked I would first validate the token in the URL against the username it's being applied to then I would either allow the user to enter a new password, or generate a new one and email it. You can't prompt for the old one, as the whole point is the user has forgotten it!
There are many ways this has been implemented. As you said, generating a new password and sending it to the registered email address is one method. I wouldn't suggest you go that route though, as my password would be reset everytime somebody tried guessing my password.
Instead, the best thing I've seen to date is simply emailing the registered email with a link that will begin a password reset process. You may even let the user know which email address to check by showing a masked version of their email address used in registration:
An email was sent to ********#hotmail.com. Please check your inbox to continue.
Be sure to keep in consideration those of us who may forget which email address were registered with - typically a few security questions are a great way to make that information available.
I've done that recently. When the user enters their username or email address, we generate a unique token and email it to them as part of a link. Upon receipt of that email, they click the link, and are automatically logged in, taken to the my account screen, and prompted to reset their password.
Of course, this relies 100% on the security of the email client, but it's hard to beat from a usability perspective.
You shoud check the answer to the question : Can anyone provide references for implementing web application self password reset mechanisms properly? from D.W. on security.stackexchange.
It is the most complete answer I found on the subject. I also suggest you to read this article : Everything you ever wanted to know about building a secure password reset feature