I have a forgot password page in which i need to ask from the user his user id to provide him his password from the database and it is working but what to do if anyone enters any wrong user id.
Be aware that there's a certain measure of risk in this. If you always respond with a message saying that the User ID is incorrect, then that can be used to guess User IDs in your system. An attacker can brute-force this form with variations of common names and end up with a sizable list of your users. For any given account, that gives them half of the information needed to login as that user.
I would recommend that you display a message saying that an email has been sent to the email address for that account with instructions to reset the password (which includes a time-sensitive key required for the reset), regardless if the User ID was found in the system or not. If they don't get the email, they can always try again (assuming the first attempt included a typo in the User ID). If they don't actually know their User ID, there can be another form to recover that by entering their email address (behaves in a similar manner to this form, always showing success on the form and just sending the email where applicable).
You have to perform following 3 steps to ensure tight security.
1) Based on the userid fetch the user information from database. If the information is null then send an error to the user, saying invalid UserId.
2) a) If you have registration of EmailId at the time of user creation, then send the password to the registered mail.
b) If you don't have registration of EmailId then ask and match the security question selected at the time of user registration.
3) If possible try to combine the a) & b) points of point 2) for more enhanced security.
You must do SELECT to check if that records exists and proceed if so.
Simply return a message stating they have entered an incorrect user id.
If you're asking what do you do if they give you the valid ID of another user entirely, then I'm assuming you're doing something quite unsafe with the password you're recovering (you aren't just showing them the password are you?) - most systems like this will email you the password, at least affording the security that only the associated email account will ever be given the password.
SELECT * FROM users WHERE username = inputhere
if (mysql_num_rows($result) > 0)
{
// found it
}
else
{
// doesn't exist
}
Is that what you were looking for?
Related
When users sign up in my app (with accounts-ui) I ask for three mandatory fields: username, email and pwd. I'm looking for a way to allow users to sign In with only two fields: Email and password (not username/email and pwd as default) but always asking for username in sign up (Usernames could be duplicates between users).
There is a way to do that with accounts-ui? The reason is pretty obvious, as facebook do, I need to allow the creation of different accounts with the same name, but not with the same email.
As workaround I have installed a package to add the additional field to sign Up (selaias:accounts-entry) and customize the sign in / sign up forms but the additional field (username) is shown below the password which looks awkward. I wonder if meteor accounts should have a natural option to do the explained at begin.
Option 1
Pass passwordSignupFields:'EMAIL_ONLY' to Accounts.ui.config
Option 2
Part 1: Pass a custom validation method to Accounts.validateNewUser so duplicate usernames are allowed.
Part 2:
the additional field (username) is shown below the password which looks awkward.
Hide it with a CSS hack
the ids are autoincrement 1,2,3 ... etc.
and the login's are string
when I do FormsAuth.SignIn( //here should I use the login or the ids
the logins aren't seen by anybody,
but the ids aren't hard to guess (for some random person)
It depends on how you do your authentication. The standard generated forms-authentication expects a Username for the user to log in.
So when the user tries to login you should check his username and password against the database. If everything is correct then you can do.
FormsAuthentication.SetAuthCookie("UserName",true/false);
If you wrote your custom membership validation then you can set the AuthCookie to something else like the Id or Email. It just has to be unique.
What you are saying about the Id's aren't hard to quess shouldn't mather. Unauthorized persons shouldn't be able to do the FormsAuthentication.SetAuthCookie. You always have to check if the pass and username is correct so.
Hope it's clear enough for you?
I want to know that when user registering how to check the email id is exists or not.
In order to validate an email you can use 2 things
Send yourself an email and check the answer back (this can take up to 24 hours as email servers sometimes don't send the answer back right away) and read the response headers back from the email server
You can signup for a commercial service that does this for you.
BUT
We never, ever, do this ...
We simply send the user an email with a confirmation link and block his/her account until they confirm it.
for example:
The user bruno creates an account in your website with the email abc#domain.com.
After you create the user in your User table you also have a bit (boolean) column names is_confirmed that you say 0
DECLARE #guid uniqueidentifier
SET #guid = NEWID();
INSERT INTO [TblUsers]
( 'email', 'username', 'is_confirmed', 'create_date', 'unique_id' )
VALUES
( 'abc#domain.com', 'bruno', 0, GETDATE(), #guid );
SELECT #guid;
then you send a nice Welcome email with the id you got form the insert procedure
http://yourdomain.com/confirm/?<%= userGuid %>
you simple send a Welcome message asking the user to confirm within that link, open confirm, welcome him and ask to provide a password.
That's how we see if the email is a real one or not!
If you want to know whether they have entered a genuine, real email address that they use, then the only way is to send them something then have them confirm it back to you.
If you just want to check the format is valid, then Google (or Bing if that is your preference) for email address verification regular expression.
I have a login in my admin page.
Now I want to log every login-try in my database.
Normaly I have a Log-table with the adminID in a foreign key of the adminuser-table.
Now, of course, when someone try to login with a username that doesn't exist, I haven't a ID and the foraign-key uses a crash in the write-attamp.
Now whats the correct way to log a login-try when the username isn't correct and you haven't the correct id?
1) Add a second log-table for such things
or 2) Remove the foraign Key in the first log-table
Why not just have the adminID field as a nullable field? That way, you could distinguish between successful and unsuccessful login attempts.
In my project i am sending a mail to the user to create a user account. I want to enable that link for the first time he/she clicks the link. if he clicks the link for more than 2 times,then it should go to custom error page.how to do this?
This depends on how the link is generated.
For example: If your link contains a username as GET-parameter, then you could simply query your database if the username is already in use. I would advise against that, because the user can easily change that GET-Parameter
I would recommend this: Your link should contain a unique identifier, most likly a hash. This hash is stored somewhere, to garantee it's uniqueness, like in the usertable of your database (a column for the hash of the registration link). That might also come handy, because you could create new user rows and already prefill them with necessary information. You could use these information upon rendering to insert text into the textboxes