I'm new using Webflow and I don't know how to do that: I want to implement a recovery password flow, I'm taking the user's email, generate a random ticket and store it with hibernate. The problem is that I don't know how send an email to the user with a link to another flow which should check if the ticket is valid and then let the user change his password. Before using webflow I was sending the next URL: (http://localhost:8080/changePassword?ticket=15teumv5huebt...) changePassword is a view in my project but I know this URL will be overriden. Can anyone give me some suggestion? Thanks in advance.
well, if your flow's id is "changePassword", you should be able to send a link with "http://localhost:8080/changePassword?ticket=15teumv5huebt..."
you might want to automatically replace localhost by the server ip and do the same for the port number
also you might have to use your application's name "http://localhost:8080/appName/changePassword?ticket=15teumv5huebt..."
Related
I will not post any of my code, because this is more just a question to know if it's possible.
I've been googling a lot, but didn't find any concrete solutions. I hope someone can help me here.
The facts:
I have a login form
I need to authenticate the credentials over a web-service
I need to send both username and password, to get back a token if logged in successfully.
The problems:
With a custom provider I'm always stuck with the fact that they only have direct access to the userename, like: loadUserByUsername. I need to access the password there as well, to be able to send this to my web-service.
I have only 1 web-service which sends only back a token if provided username and password are correct.
Question:
How can I access and send both username and password to my web-service?
Thanks!
Generally speaking one would authenticate using an API token to a web service.
That API token is usually issued via an auto-generation script when the user account is created (either by an admin or by a registration form). This token is then passed by the API call to the web-service in a header which then uses it to authenticate the user.
As far as Symfony goes, by far the easiest way of doing this is with Guard. A new component built by Ryan Weaver from KNP.
KNPUniversity has a great tutorial on it (for free).
Note that this is only one option of many, and the 'best' way is probably mainly opinion based and directly related to the use case in question. But it might help you get on the right track.
If the token you want to create should be a JSON Web Token (JWT), a very conventient bundle is LexikJWTAuthenticationBundle, which does almost all of the work automatically. If you just follow the documentation, you will have it quickly up and running. You can combine it with FOSUserBundle, with a custom User entity or whatever.
I'm looking for a basic explanation of how could I do this with symfony2, since there is no decent documentation in the web about this. I know how could I do the process with plain php, but I don't know where to start with symfony2.
Any help would be really appreciated, guys.
Thanks!
To clarify what I'm looking for: once the user completes the registration process, send an automatic email with a link to activate his account
FOSUserBundle has this feature by default.
You can do it on your own:
Create a user specific secure hash and store it in the database at registration.
Send an email to user containing a link with that hash: myapp.com/signup/token/..(token here).../
Create the relevant route to the controller that will check the hash, pass the token in the url to the controller as variable.
Check if the hash is correct in the controller and do the relevant action.
I have my little web application, with simple registration strategy - provide email and password and you are done.
Recently bot's starting to attack my application, registering big number of users from non existent emails using the same passwords.
I want to prevent that. My idea is to extend login verification, but check the existance of email address. Do you know any web services (prefereably WCF) that could do that?
This is definitely not the way to solve this problem. Try one of these
Allow user to enter only username and send auto-generated password to their email.
Send a verification link to the user email and approve him/her only after verification
This has been discussed on How to check if an email address exists without sending an email? . Basically there are ways verify email addresses, but in practice none of them is reliable. However, you can still check via SMTP, and if the server denies the existence of the expected user, send him an email with a verification link anyway. This does not prevent spammers from setting up fake servers that acknowledge the existence of any user, of using other peoples email addresses, but it's probably the closest you can get to your initial requirement of having no verification email.
I would recommend you to update your registration form. Try to use something tricky for bots. For example, post the form via AJAX with JSON object wrapper.
Try a service like: http://elasticemail.com/
You can use the api to check if the email was delivered. There is also a 'bouce list' you can check.
i was wondering if any one can advise me on how i can go about implementing a email and account validation feature in my ASP.net website. so when a user creates an account, an email is sent to the email address used, and the user needs to verify that email address to be able to logon.
thanks
Suggested workflow..
Create an account for the user in your database and mark the account as "to be validated"
Produce a random key, maybe a GUID and add it to the users account
Email the random key to the user along with a unique URL, e.g www.myurl.com/validateuser.aspx?userid=45532
To email using asp.net use the system.net.mail namespace - lots of bits on the internet about this.
On validateuser.aspx ask user to enter key sent to them in email.
Check if keys match. If so update db record to "validated"
Edit
By the way, there is a nice answer here on Stack Overflow if you are using forms auth
you can use regular expression of email id check after validation save id in database and and on button behind code of registration write code for sending email using system.net.mail
many email sending function available on internet.
after registeration using coding to check on logon either the email exists in ur database or not.
This is almost a year too late, but for the records you should use the built-in ASP.NET Membership functionality because you get all this (and much more) for free, no need to make e-mail validation logic if it's already made for you is it?
http://msdn.microsoft.com/en-us/library/yh26yfzy.aspx
net website, i would like to implement forget password. I am using following steps
Form having input box for login Id and email Id and CAPTCHA
when user enter details and submit, at backend after validation new password is generated and replaced old password at database.
New passowrd is send to user at email.
Please help me whether i am doing right or not?
Is there any other secure mechanism for the same?
[EDIT]
Thanks, i got your reply. Really this is a secure mechanism. But here i have few doubt
What message should i shown to user when he enter loginId and email address at forgotten password page?
Whether message would be same for valid user and mallicious user?
Advantage of using CSRF token? Any help / link
When user click on link then what should i do; because as i guess user should automatically loggin into their account -then after that i have 2 choice (first) send new password automatically to user (second) new form will shown to user where user will enetr old password and new password twice?
Please help?
I can see why you'd want a CAPTCHA, but I'd take a different approach.
When a password reset is requested check that a reset has not already been requested for that account within the last X minutes. If a password has already been requested ignore the reset request.
Check the IP requesting the password reset. If that IP has requested a password reset in the last Y minutes ignore the request.
If the checks in 1 & 2 pass check the account exists. If it doesn't ignore the request.
If we've gotten this far generate a one time token, which expires in Z minutes and a password reset URL which encompasses this token. Email this to the registered email address. When the URL is loaded prompt for a new password and reset.
For those who believe that you should tell the user where the email has gone I strongly disagree. This is "information leakage", even if you do limit it to the domain name. For example say I've registered on JeffAtwoodEatsBabies.com as blowdart. If Jeff had requested a password reset for me and you showed the registration domain then he'd see idunno.org. This is my personal domain and thus Jeff would know the blowdart user is, in fact, me. This is a bad bad thing. I should not have to register using hotmail or gmail or whatever in order to protect myself from your code showing an email domain to all and sundry.
In addition you shouldn't be showing error messages at all. No matter what happens, a username is not actually registered, or too many requests have been made or the sky has fallen you should be telling the user that the password reset procedure has started. Informing a user that an account doesn't exist is more information leakage.
One final thing you could do is add a CSRF token to the reset request page, so it cannot be driven from other web sites.
Followup
So to answer your further questions.
What message you show is up to you. "Instructions for resetting your password have been emailed to the registered email for this account" is one idea, but really it's down to your audience.
Already addressed above.
Wikipedia is a good starting point. How you do it depends on your platform and is a complete other question! For ASP.NET you could look at my codeplex project, http://anticsrf.codeplex.com or look at ViewStateUserKey.
When the link is clicked I would first validate the token in the URL against the username it's being applied to then I would either allow the user to enter a new password, or generate a new one and email it. You can't prompt for the old one, as the whole point is the user has forgotten it!
There are many ways this has been implemented. As you said, generating a new password and sending it to the registered email address is one method. I wouldn't suggest you go that route though, as my password would be reset everytime somebody tried guessing my password.
Instead, the best thing I've seen to date is simply emailing the registered email with a link that will begin a password reset process. You may even let the user know which email address to check by showing a masked version of their email address used in registration:
An email was sent to ********#hotmail.com. Please check your inbox to continue.
Be sure to keep in consideration those of us who may forget which email address were registered with - typically a few security questions are a great way to make that information available.
I've done that recently. When the user enters their username or email address, we generate a unique token and email it to them as part of a link. Upon receipt of that email, they click the link, and are automatically logged in, taken to the my account screen, and prompted to reset their password.
Of course, this relies 100% on the security of the email client, but it's hard to beat from a usability perspective.
You shoud check the answer to the question : Can anyone provide references for implementing web application self password reset mechanisms properly? from D.W. on security.stackexchange.
It is the most complete answer I found on the subject. I also suggest you to read this article : Everything you ever wanted to know about building a secure password reset feature