Lost Password Recovery WITHOUT username

by **benneh** on Wed Mar 29, 2006 9:31 am

I am running an ecommerce site with joomla with virtuemart, and wanted this functionality to make it easy for returning customers to retrieve their password, without having to also remember their password.

I do not agree with how this was implemented in the core, but no one seemed interested in making the modification, so I decided to have a go at writing it myself with what very little php knowledge I have...

This hack replaces the registration.html.php and registration.php in components/com_registration and requires ONLY their email address to perform a password reset, not username and password, because noone remembers what username they signed up with most of the time. I had to add some extra code to ensure the recovery email still sends the username however, as they still need the username to login successfully

I hope someone else finds this useful.

Cheers,
Ben

by **gerrybakker** on Sun Apr 30, 2006 6:10 am

There should be an Icon for 2 thumbs up.

This hack is probably one of the most important and under appreciated features I have seen in the Mambo/Joomla world. This should be standard equipment on all Joomla installs.

I would like to know why this isn't the standard configuration for password recovery. The existing standard login is absolutely un-usable when you need to recover your password - the general public simply doesn't remember 2 months later which special combination of username and email address they used to sign up for your site membership and then you lose them as a user or you end up with multiple logins per user per site.

If you set the site's Global settings to require a unique email address per username and then use this hack you have the ideal USER FRIENDLY login system that sends the user both his username and password when all he can remember is his email address.

Come on everybody - get on the bandwagon and make some noise about this - let's make this the high profile issue that it deserves to be. If anyone can give me a really good reason why this hack is a bad idea - let me know.

by **benneh** on Mon May 01, 2006 10:46 am

Thanks for the kind comments Gerry.

I honestly don't think there is interest from the powers that be for this to become part of the core distribution, despite the fact that ALMOST EVERY OTHER WEBSITE IN THE WORLD WHICH REQUIRES A LOGIN HAS THIS FUNCTIONALITY.... sorry i get a bit emotional about this, it really is ignorant they are not giving this any attention... there is multiple posts here requesting this, and the way it is currently implemented is stupid but noone seems to care much... guess noone is interested in making a better experience for users of their website besides you, I, and the few people who have downloaded my hack.

it seems to have sadly gone down the path of many open source projects of only being interested in implementing new features, not fixing the broken ones which already exist

by **duvien** on Mon May 01, 2006 12:43 pm

This is certainly a welcome hack, many thanks for sharing.

I just want to know is this for Joomla 1.0.8 and which VirtueMart version are you using this hack for?

thank you,

sunburst

by **gerrybakker** on Mon May 01, 2006 4:41 pm

This hack works great on my Joomla 1.08 install.

sunburst - you're a Joomla hero - bring this to the attention of the other Joomla heros please and ramp this up to the attention it deserves. Maybe a loud noise from other heros will get their attention.

by **benneh** on Mon May 01, 2006 8:40 pm

g'day sunburst, thanks for taking an interest. i built this using the latest stable releases of both at the time, joomla 1.0.8 and virtuemart 1.0.4

Cheers.

by **duvien** on Mon May 01, 2006 9:33 pm

gerrybakker wrote:This hack works great on my Joomla 1.08 install.

sunburst - you're a Joomla hero - bring this to the attention of the other Joomla heros please and ramp this up to the attention it deserves. Maybe a loud noise from other heros will get their attention.

Don't worry, i believe this good work will get some attention it deserves. The devs do views many of the threads found on this forum too. However, this isn't a good time to be raving on about it as i think the devs are under pressure and working a very tight schudule of the release of J! 1.5 Beta that's due very soon, so please be patient.

@ benneh, thanks for letting me know which version the hacks is for.

thanks,

by **fatpat** on Tue May 02, 2006 12:59 am

Nice hack! Thanks!

The only "problem" that I see is someone resetting other peoples passwords. Not really a big issue, but it could be a hassle.

Maybe a 2-stage reset would be better.

Request -> Email -> Confirm -> Reset

Cheers!
Patrick

by **gerrybakker** on Tue May 02, 2006 1:21 am

I dont see how anyone could reset other people's passwords because it only emails the new password to the person who needs to be able to access their own user account. The email doesn't go anywhere else or to anyone else. How could this be wrong.

A 2 stage reset would not be any better because it would still be communicating with the proper email account in each stage of the confirmation. All a 2 stage reset would do is make it more work than it needs to be.

Gerry

by **fatpat** on Tue May 02, 2006 1:26 am

No, when you've lost your password it's irrecoverable because of the one-way encryption so it must be reset to a random password.

Either way, no big deal. I think this hack is much simpler for the end-user.

by **benneh** on Wed May 03, 2006 9:44 am

i agree fatpat your suggested way would be good. i would suggest that it works like so:

user enters their email address and clicks reset password
an email arrives with a hyperlink telling them to click it if they want to reset their password, and if they didnt request the reset to simply ignore the email
when they click the reset link in the email, it takes them to a page where they can enter a new password

and yep, it is good that joomla uses one way password hashes to verify and store passwords, i hate it when a website password reset utility sends me back my actual password because that means it is stored in cleartext somewhere...

by **SteveWR** on Tue May 09, 2006 9:52 am

Thanks for this hack.

I have also changed the text in language/english.php to say that User Names can be recovered not just passwords.

by **Solhaug** on Tue Jun 13, 2006 8:10 pm

Nice hack

I have installed it and it works, but the mail returned with the new password does not show the login user name, how do i enable that.

i like the recovery e-mail to show both login and the reset password

i'm running ver. 1.08

Solhaug

by **gerrybakker** on Tue Jun 13, 2006 9:27 pm

It works properly for me on Joomla 1.08 and Joomla 1.09
The email sent from mine looks like this:

The user account gerrybakker has this email associated with it.
A web user from http://www.legaldirectoryservices.com has just requested that a new
password be sent.

Your New Password is: AWWpgVCm

If you didn't ask for this, don't worry. You are seeing this message, not them. If
this was an error just login with your new password and then change your password to
what you would like it to be.

Also, the email Subject shows the username like this:
"LegalDirectoryServices.com :: New password for - gerrybakker"

by **ot2sen** on Thu Jun 15, 2006 7:44 am

Solhaug wrote:Nice hack

I have installed it and it works, but the mail returned with the new password does not show the login user name, how do i enable that.

i like the recovery e-mail to show both login and the reset password

i'm running ver. 1.08

Solhaug

Hi Solhaug,

That issue is not related to this nice hack, but actually an error in the local translation - My mistake :-[

Actually I managed to translate part of the string for fetching username but noone had noticed this throughout the whole 1.0x series, until now.

The danish languagefile for 1.0.9 is now corrected and can be downloaded at the danish joomlaforge project

Cheers,
Ole

by **Solhaug** on Thu Jun 15, 2006 9:29 pm

You are right

It is fixed now.

by **gypsydogg** on Fri Jun 16, 2006 4:13 am

I agree, this definately needed to be done. Unfortunately I can't use it because I am using community builder and it uses a different file com_comprofiler. Any chance of anyone taking a stab at this?? I would if I new PHP.

by **HansM** on Sun Jun 18, 2006 12:38 pm

Great idea to make this hack!
There are too many things that are overdosed in our world especially in software.
Nevertheless I must agree to the opinion that you it can be frustating, if anyone knowing your emailadress is able to send you new passwords all the time.

Although I will start a new topic in this forum regarding a new question, I would like to add this question in here as well, because it's a question which is near to this topic. Here it is:

Has anyone been able to drop the field username in the loginform? I think name only will do well for most websites. Who needs a separate username? I don't. I only use the login as registrationform for a newsletter for example.
Secondly, is it possible to send new users a randomized password instead of using the inputfields "password"?

Thanx for your idea.

by **MoJo2** on Wed Jun 28, 2006 8:57 pm

I run 1.08 and i'm using comprofiler.
In my case this hack don't work.

Has somebody an Idea of how to change this when using comprofiler.

I think these files need to be edited beacuase they contain info about passrecovey
/www/components/comprofiler.html.php
/www/components/comprofiler.php

Thanks!

by **gypsydogg** on Wed Jun 28, 2006 10:34 pm

Ya that is the same problem I have comprofiler/community builder, same thing...Anybody have the skills to help us out?

by **japh** on Tue Jul 04, 2006 4:38 pm

fatpat wrote:Nice hack! Thanks!

The only "problem" that I see is someone resetting other peoples passwords. Not really a big issue, but it could be a hassle.

Maybe a 2-stage reset would be better.

Request -> Email -> Confirm -> Reset

Cheers!
Patrick

Hi all :)

The "email only" password recovery isn't that *hard* to implement, even for my (very) limited knowledge of PHP. Basically remove the "username" field from the form and modify the query to ignore the "AND username=" ... :)
Nice work, either way ;)

About the "Request -> Email -> Confirm -> Reset" ... anyone has something of this type working ? I have a 4000+ users community, but there is always a dumb*** that thinks that resetting other user's passwords is funny ...

Help ? ;-)

Regards,

Paulo Pinto

by **japh** on Tue Jul 04, 2006 4:47 pm

MoJo2 wrote:I run 1.08 and i'm using comprofiler.
In my case this hack don't work.

Has somebody an Idea of how to change this when using comprofiler.

I think these files need to be edited beacuase they contain info about passrecovey
/www/components/comprofiler.html.php
/www/components/comprofiler.php

Thanks!

Eh ... if I'm not mistaken, on comprofiler.html.php, comment out the lines:

Remember that "" ends it.

On comprofiler.php, replace:

if (!($user_id = $database->loadResult()) || !$checkusername || !$confirmEmail) {
mosRedirect(sefRelToAbs("index.php?option=$option&task=lostPassword"),_ERROR_PASS );
}

by

if (!$user_id || !$confirmEmail) {
mosRedirect(sefRelToAbs("index.php?option=$option&task=lostPassword"),_ERROR_PASS );
}

I *think* that's all ... but you're on your own ..

Regards,

by **gypsydogg** on Tue Jul 04, 2006 7:29 pm

hmmm, I get no corrisponding username found....

by **japh** on Wed Jul 05, 2006 9:26 am

gypsydogg wrote:hmmm, I get no corrisponding username found....

*cof* I think I forgot something :-)

Ok, here's the code for the beginning of section "function sendNewPass" from the comprofiler.php. Notice the remarked code and the correspondent substitutions. Hopefully that is all ... ;-)

function sendNewPass( $option ) {
global $database, $Itemid;
global $ueConfig,$_PLUGINS;

// ensure no malicous sql gets past
// $checkusername = trim( mosGetParam( $_POST, 'checkusername', '') );
$confirmEmail = trim( mosGetParam( $_POST, 'confirmEmail', '') );

//$database->setQuery( "SELECT id FROM #__users"
//. "\nWHERE username='$checkusername' AND email='$confirmEmail'"
//);
$database->setQuery( "SELECT id FROM #__users
WHERE email='$confirmEmail'");
$user_id = $database->loadResult();
$database->setQuery( "SELECT username FROM #__users
WHERE email='$confirmEmail'");
$checkusername = $database->loadResult();

//if (!($user_id = $database->loadResult()) || !$checkusername || !$confirmEmail) {
// mosRedirect(sefRelToAbs("index.php?option=$option&task=lostPassword"),_ERROR_PASS );
//}

if (!$user_id || !$confirmEmail) {
mosRedirect(sefRelToAbs("index.php?option=$option&task=lostPassword"),_ERROR_PASS );
}
(...)

And about the "Request -> Email -> Confirm -> Reset" ... anyone ?

Regards,

by **SteveWR** on Wed Jul 05, 2006 1:37 pm

Is this hack still ok to use in 1.0.10?

Thanks

by **japh** on Wed Jul 05, 2006 1:41 pm

The hack I've "pasted" is for comprofiler (Community Builder), over 1.0RC2 (dunno if there are changes on 1.0 final).

Nothing to do with Joomla! "core" ... so I guess it doesn't matter if you're running 1.0.8 or 1.0.10 ...

And about the "Request -> Email -> Confirm -> Reset" ... anyone has a solution for it

by **gypsydogg** on Wed Jul 05, 2006 5:39 pm

Making progress, it recognized the email address, and said it was sending a new email address, but I did not receive anything yet, it might be my settings as I am in a alpha phase of my site. I'll do a status update as soon as I find out.

by **gypsydogg** on Sat Jul 22, 2006 1:52 am

It does work!!! Hot Damn!!

by **japh** on Sat Jul 22, 2006 12:58 pm

Well.. it does work for me, so it should work for you too :P

Either way, still waiting for someone to post anything for "Request -> Email -> Confirm -> Reset" thingy ...

Regards,

by **gypsydogg** on Sat Jul 22, 2006 2:03 pm

Ahhhh I know what you mean, PHPnuke has that system. Works very well too.

Lost Password Recovery WITHOUT username

Lost Password Recovery WITHOUT username

Re: Lost Password Recovery WITHOUT username

Re: Lost Password Recovery WITHOUT username

Re: Lost Password Recovery WITHOUT username

Re: Lost Password Recovery WITHOUT username

Re: Lost Password Recovery WITHOUT username

Re: Lost Password Recovery WITHOUT username

Re: Lost Password Recovery WITHOUT username

Re: Lost Password Recovery WITHOUT username

Re: Lost Password Recovery WITHOUT username

Re: Lost Password Recovery WITHOUT username

Re: Lost Password Recovery WITHOUT username

Re: Lost Password Recovery WITHOUT username

Re: Lost Password Recovery WITHOUT username

Re: Lost Password Recovery WITHOUT username

Re: Lost Password Recovery WITHOUT username

Re: Lost Password Recovery WITHOUT username

Re: Lost Password Recovery WITHOUT username

Re: Lost Password Recovery WITHOUT username

Re: Lost Password Recovery WITHOUT username

Re: Lost Password Recovery WITHOUT username

Re: Lost Password Recovery WITHOUT username

Re: Lost Password Recovery WITHOUT username

Re: Lost Password Recovery WITHOUT username

Re: Lost Password Recovery WITHOUT username

Re: Lost Password Recovery WITHOUT username

Re: Lost Password Recovery WITHOUT username

Re: Lost Password Recovery WITHOUT username

Re: Lost Password Recovery WITHOUT username

Re: Lost Password Recovery WITHOUT username

Who is online