Bazaar – php example code – part 18 – forgotten pasword functionality

15.05.202101.04.2021 milan.ciljak

Article focus on simple way how to recover access to a page for user that forgotten password. Introduced solution generate new password, reset old and send them to the user on registration e-mail.

Expectation from password recovery mechanism

After longer period of user inactivity any user can feel difficulties to log in into their own account. All well planed pages must have functionality for password recovery. Simple way how to do it, is resend new password to a registration e-mail of the user.

This solution can be further hardened by expectation of change user password after gainig first access with send password (user must change to their own password).

All new solution incorporate two way authentication or use second verification by sending code to mobile phone or mobile application for assuring legitimity of password resend.

For smooth user experience is necessary provide functional UI on rsend form. Our application implement this feature way that you can see on following pictures.

Option for recovering password at the bottom of the Log In form

Resend form after providing wrong e-mail address

Resend form after providing existing e-mail address

As you can see after providing valid e-mail address, new pasword is created, inserted into a database and send via e-mail. But this is our simple solution, how to mitigate rough client that will request reset working password. This is only one field for further hardening of this functionlity.

On next rows we take look on way how we implemented this feature to existing page code.

Implementation of password recovery feature

Full code responsible for validation of provided e-mail for password recovery. Recreation of password, inserting them into a database as hash and sending as plain text within a e-mail to user and notification of success or failure on any of the working stage is as follow.

<!– ************************************************************* –>

<!– PHP „self“ code handling resend new default password –>

<!– ************************************************************* –>

<!– Vrsion: 1.0 Date: 9.1-10.11.2021 by CDesigner.eu –>

<!– ************************************************************* –>

<?php

require_once(‚appvars.php‘); // including variables for database

require_once(‚captcha.php‘); // including generator of captcha image

session_start(); // start the session

// two variables for message and styling of the mesage with bootstrap

$msg = “;

$msgClass = “;

$usr_username = “;

$usr_passwd = “;

$_resended = false; // page is on first run before resending new password to provided user e-mail

//get info that user is loged in, if not try it looking at cookies

//if(!isset($_COOKIE[‚s‘])) { old solution with cookies

if(!isset($_SESSION[‚users_id‘])) { //new with session variables

if(isset($_POST[‚submit‘])) {

/* Attempt MySQL server connection. */

$dbc = mysqli_connect(DB_HOST, DB_USER, DB_PW, DB_NAME);

// obtaining e-mail for recovery password

$e_mail = htmlspecialchars($_POST[‚e_mail‘]);

if(!empty($e_mail)) {

if(filter_var($e_mail, FILTER_VALIDATE_EMAIL) === false){

// E-mail is not walid

$msg = ‚Please use a valid email‘;

$msgClass = ‚alert-danger‘;

} else {

// e-mail is valid

// try lookup user database – if e-mail is in a database

$sql = „SELECT users_id, username, user_role FROM bazaar_user WHERE email = „.“‚$e_mail'“ ;

$data = mysqli_query($dbc, $sql);

if(mysqli_num_rows($data) == 1) {

//obtain user data form executed query

$row = mysqli_fetch_array($data);

$username = $row[‚username‘]; // get uswername asociated with provided e-mail from fetched data from a users database

// display info about account that was gathered from database for that e-mail

$_resended == true; //page is reloaded and will display info about succesfull reset and resend password

// generate new strong password

define(‚PASS_NUMCHARS‘, 10); // number of characters inrandom passphrase

// generating passphrase by random numbers

$new_pass_phrase = „“;

for($i = 0; $i < CAPTCHA_NUMCHARS; $i++ ) {

$new_pass_phrase .= chr(rand(48, 90)); //ascii from 0 to Z

}

// hash passord

$new_pass_hash = SHA1($pass_phrase);

// insert new password hash into a database for that e-mail

$sql = „UPDATE bazaar_user SET

pass_word = ‚“.$new_pass_hash.“‚

WHERE email = „.“‚$e_mail'“ ;

if($output = mysqli_query($dbc, $sql)){

if($output) { // if any record obtained from SELECT query

//echo „Heslo bolo úspešne zmenené“;

$msg .= ‚ PASSWORD changed succesfuly. ‚;

$msgClass = ‚alert-success‘;

} else{

//echo „Password cannot be changed.“; // if no records in table

$msg .= ‚ PASSWORD cannot be changed. ‚;

$msgClass = ‚alert-danger‘;

}

} else {

echo „ERROR: Could not able to execute $sql. “ . mysqli_error($dbc); // if database query problem

}

// send e-mail with new generated password to provided e-mail address

/*******************************************************

* construct e-mail with new password for access into a bazaar account

$toEmail = $e_mail; //!!! e-mail address to send to – change for your needs!!!

// debug only for test becaus mercury is not in xamp configured for sending outside a local domain $toEmail = ‚ciljak@localhost.org‘;

$subject = ‚New login on bazaar for user ‚.$username;

$body = ‚<h2>Your new access credentials for account ‚.$username.‘ with associated e-mail : ‚.$e_mail.‘ </h2>

<h4>For gaining access to your account please use these credentials: </h4><p>username:‘.$username.‘,</p><p> password: ‚.$pass_phrase.‘, </p>

<p>We strongly encourage you to change password after succesfful login on edit user page for your own strong password!</p>

<h4>Visit us on <a href=“bazaar.com“>bazaar.com</a></h4>

‚;

// Email Headers

$headers = „MIME-Version: 1.0″ .“\r\n“;

$headers .=“Content-Type:text/html;charset=UTF-8″ . „\r\n“;

// Additional Headers

//$headers .= „From: “ .$first_name_buyer. „<„.$email_buyer.“>“. „\r\n“;

$headers .= „From: admin@bazaar.com „;

if(mail($toEmail, $subject, $body, $headers)){

// Email Sent

$msg .= ‚<p> Your new accessing credentials for account ‚.$username.‘ was successfully sent via provided e-mail ‚.$e_mail.‘.</p>‘;

$msgClass = ‚alert-success‘;

} else {

// Failed

$msg = ‚New access credentials can not be send via e-mail due to other technical problem. Please contact site admin for further help.‘;

$msgClass = ‚alert-danger‘;

}

// $home_url = ‚http://‘. $_SERVER[‚HTTP_HOST‘] . dirname($_SERVER[‚PHP_SELF‘]) . ‚/index.php‘;

// header(‚Location:‘. $home_url);

// Free result set

mysqli_free_result($data);

// Close connection

mysqli_close($dbc);

} else {

// user account with requested -email does not exist – you cannot reset them – only display info about retyping e-mail address

$msg .= „User account with e-mail: „. $e_mail. „. does not exist. E-mail with new login credentials can not be send! „;

$msgClass = ‚alert-danger‘;

}

} else {

// username/ password were not entered – display error message

$msg .= „Sorry, you must eneter e-mail address for sending new login credentials. „;

$msgClass = ‚alert-danger‘;

}

<!– **************************************** –>

<!– HTML code containing Form for submitting –>

<!– **************************************** –>

<!DOCTYPE html>

<html>

<head>

<title> Bazaar resend password </title>

</head>

<body>

<?php

require_once(‚headerlogo.php‘);

<a class=“navbar-brand“ href=“index.php“>Bazaar – mainpage</a>

</div>

</nav>

<?php if($msg != “): ?>

<br>

<?php endif; ?>

<?php

// if (empty($_resended)) { $_resended = false; };

if(empty($_SESSION[‚users_id‘]) && ($_resended == false)) { // solution with sessions – if user is not loged in

// only show for if session with name users_id does not exist

//echo ‚ <br> ‚;

//echo ‚<p class=“alert alert-danger“>‘ . $msg . ‚</p>‘;

<br>

<br>

<legend> Recovering access to existing user account <legend>

<br>

<label>Your registration e-mail:</label>

<input type=“text“ onfocus=“this.value='<?php echo isset($_POST[‚e_mail‘]) ? “ : “; ?>'“ name=“e_mail“ class=“form-control“ value=“<?php echo isset($_POST[‚e_mail‘]) ? ‚Please reenter‘ : ‚e-mail‘; ?>“>

<br>

</div>

<br>

</form>

<?php } else if ($_resended == true) {

// user is not loged and e-mail was good submited and there display info about sucessfull resend e-mail

echo ‚<br>‘;

echo ‚<p class=“alert alert-success“> For your account‘ . $username. ‚ we provided new password.</em></p>‘; // session solution

echo ‚<p class=“alert alert-success“> Provided password has been sent in to e-mail <em>‘ . $e_mail. ‚</em> used during resistration of your account. </p>‘; // session solution

echo ‚<p class=“alert alert-success“> We recommend you change them after first successful login on edit profile page. </a></p>‘;

} else {

// user is loged in – there is no need for resend password

echo ‚<br>‘;

echo ‚<p class=“alert alert-success“> You are loged in as <em>‘ . $_SESSION[‚username‘]. ‚</em></p>‘; // session solution

echo ‚<p class=“alert alert-success“> There is <em>no need</em> for resend new password. </p>‘; // session solution

echo ‚<p class=“alert alert-success“> If you will logout or login with another credentials, please first <a href=“logout.php“>logout!. </a></p>‘;

}

</div>

<?php // footer include code

require_once(‚footer.php‘); // including footer

generate_footer(580); // function from footer.php for seting width, you can use 580 and 1060px width

</body>

</html>

Conclusion

Password resend functionality conclude demonstration of implementation features to our bazaar app. This series introduces older functional approach for use of php scripting. All bigger projects stand on MVC object oriented concept with support of php frameworks. Please look at our introduction as on demonstration how to do some interactive webpages with php server scripting for absolute beginners with focus on further study. Our big next goal is focus on object oriented programming and new way how to write more reusable code on the future.

All code of bazaar demonstration app can be obtained from github here.

Share the article via the network