I have a login in my admin page.
Now I want to log every login-try in my database.
Normaly I have a Log-table with the adminID in a foreign key of the adminuser-table.
Now, of course, when someone try to login with a username that doesn't exist, I haven't a ID and the foraign-key uses a crash in the write-attamp.
Now whats the correct way to log a login-try when the username isn't correct and you haven't the correct id?
1) Add a second log-table for such things
or 2) Remove the foraign Key in the first log-table
Why not just have the adminID field as a nullable field? That way, you could distinguish between successful and unsuccessful login attempts.
Related
If you use Wordpress's built in password reset service it will go something like this:
Click forgot password
Enter your email or username
Receive a link in your email inbox
Click the link
Fill out form
That link you click, will look something like this:
http://yourdomain/wp-login.php?action=rp&key=vqwwSPzf6OK6bUv42XPk&login=natelough
If you try to change the &login to another name, it will reject you.
So, somewhere that 'key' is being stored in some way, and compared.
Where is it stored in the database?
I did an export of the database and searched the db for that string. It returned no results.
So what gives?
That key is generated by hashing a random string. You can see how this key is generated in the WordPress developer reference.
To answer your specific question, when a key is generated it is stored in the users table in the user_activation_key column. Only the most recently generated key is stored (invalidating previous reset keys). The key is also removed from the database once it has been used.
If you are looking to send these keys programmatically, you can generate them when you need them using get_password_reset_key(). That function accepts a WP_User object as its argument.
Depending on what you are trying to accomplish, there may be a more "best practices" way to do it than accessing that function directly.
The password is stored as a hash of the login name and password. You will find it in the users table under user_pass as an incomprehensible string. If the login name is changed, the entered password hashed with the login name will not match the string found in the database where the password was hashed with the original login name.
When users sign up in my app (with accounts-ui) I ask for three mandatory fields: username, email and pwd. I'm looking for a way to allow users to sign In with only two fields: Email and password (not username/email and pwd as default) but always asking for username in sign up (Usernames could be duplicates between users).
There is a way to do that with accounts-ui? The reason is pretty obvious, as facebook do, I need to allow the creation of different accounts with the same name, but not with the same email.
As workaround I have installed a package to add the additional field to sign Up (selaias:accounts-entry) and customize the sign in / sign up forms but the additional field (username) is shown below the password which looks awkward. I wonder if meteor accounts should have a natural option to do the explained at begin.
Option 1
Pass passwordSignupFields:'EMAIL_ONLY' to Accounts.ui.config
Option 2
Part 1: Pass a custom validation method to Accounts.validateNewUser so duplicate usernames are allowed.
Part 2:
the additional field (username) is shown below the password which looks awkward.
Hide it with a CSS hack
the ids are autoincrement 1,2,3 ... etc.
and the login's are string
when I do FormsAuth.SignIn( //here should I use the login or the ids
the logins aren't seen by anybody,
but the ids aren't hard to guess (for some random person)
It depends on how you do your authentication. The standard generated forms-authentication expects a Username for the user to log in.
So when the user tries to login you should check his username and password against the database. If everything is correct then you can do.
FormsAuthentication.SetAuthCookie("UserName",true/false);
If you wrote your custom membership validation then you can set the AuthCookie to something else like the Id or Email. It just has to be unique.
What you are saying about the Id's aren't hard to quess shouldn't mather. Unauthorized persons shouldn't be able to do the FormsAuthentication.SetAuthCookie. You always have to check if the pass and username is correct so.
Hope it's clear enough for you?
In my project i am sending a mail to the user to create a user account. I want to enable that link for the first time he/she clicks the link. if he clicks the link for more than 2 times,then it should go to custom error page.how to do this?
This depends on how the link is generated.
For example: If your link contains a username as GET-parameter, then you could simply query your database if the username is already in use. I would advise against that, because the user can easily change that GET-Parameter
I would recommend this: Your link should contain a unique identifier, most likly a hash. This hash is stored somewhere, to garantee it's uniqueness, like in the usertable of your database (a column for the hash of the registration link). That might also come handy, because you could create new user rows and already prefill them with necessary information. You could use these information upon rendering to insert text into the textboxes
I have a forgot password page in which i need to ask from the user his user id to provide him his password from the database and it is working but what to do if anyone enters any wrong user id.
Be aware that there's a certain measure of risk in this. If you always respond with a message saying that the User ID is incorrect, then that can be used to guess User IDs in your system. An attacker can brute-force this form with variations of common names and end up with a sizable list of your users. For any given account, that gives them half of the information needed to login as that user.
I would recommend that you display a message saying that an email has been sent to the email address for that account with instructions to reset the password (which includes a time-sensitive key required for the reset), regardless if the User ID was found in the system or not. If they don't get the email, they can always try again (assuming the first attempt included a typo in the User ID). If they don't actually know their User ID, there can be another form to recover that by entering their email address (behaves in a similar manner to this form, always showing success on the form and just sending the email where applicable).
You have to perform following 3 steps to ensure tight security.
1) Based on the userid fetch the user information from database. If the information is null then send an error to the user, saying invalid UserId.
2) a) If you have registration of EmailId at the time of user creation, then send the password to the registered mail.
b) If you don't have registration of EmailId then ask and match the security question selected at the time of user registration.
3) If possible try to combine the a) & b) points of point 2) for more enhanced security.
You must do SELECT to check if that records exists and proceed if so.
Simply return a message stating they have entered an incorrect user id.
If you're asking what do you do if they give you the valid ID of another user entirely, then I'm assuming you're doing something quite unsafe with the password you're recovering (you aren't just showing them the password are you?) - most systems like this will email you the password, at least affording the security that only the associated email account will ever be given the password.
SELECT * FROM users WHERE username = inputhere
if (mysql_num_rows($result) > 0)
{
// found it
}
else
{
// doesn't exist
}
Is that what you were looking for?