Joomla! :: View topic - Lost Password Recovery WITHOUT username

Joomla! http://forum.joomla.org/

Lost Password Recovery WITHOUT username http://forum.joomla.org/viewtopic.php?f=178&t=50531	Page 1 of 3

Author:	benneh [ Wed Mar 29, 2006 9:31 am ]
Post subject:	Lost Password Recovery WITHOUT username
I am running an ecommerce site with joomla with virtuemart, and wanted this functionality to make it easy for returning customers to retrieve their password, without having to also remember their password. I do not agree with how this was implemented in the core, but no one seemed interested in making the modification, so I decided to have a go at writing it myself with what very little php knowledge I have... This hack replaces the registration.html.php and registration.php in components/com_registration and requires ONLY their email address to perform a password reset, not username and password, because noone remembers what username they signed up with most of the time. I had to add some extra code to ensure the recovery email still sends the username however, as they still need the username to login successfully I hope someone else finds this useful. Cheers, Ben

Author:	gerrybakker [ Sun Apr 30, 2006 6:10 am ]
Post subject:	Re: Lost Password Recovery WITHOUT username
There should be an Icon for 2 thumbs up. This hack is probably one of the most important and under appreciated features I have seen in the Mambo/Joomla world. This should be standard equipment on all Joomla installs. I would like to know why this isn't the standard configuration for password recovery. The existing standard login is absolutely un-usable when you need to recover your password - the general public simply doesn't remember 2 months later which special combination of username and email address they used to sign up for your site membership and then you lose them as a user or you end up with multiple logins per user per site. If you set the site's Global settings to require a unique email address per username and then use this hack you have the ideal USER FRIENDLY login system that sends the user both his username and password when all he can remember is his email address. Come on everybody - get on the bandwagon and make some noise about this - let's make this the high profile issue that it deserves to be. If anyone can give me a really good reason why this hack is a bad idea - let me know.

Author:	benneh [ Mon May 01, 2006 10:46 am ]
Post subject:	Re: Lost Password Recovery WITHOUT username
Thanks for the kind comments Gerry. I honestly don't think there is interest from the powers that be for this to become part of the core distribution, despite the fact that ALMOST EVERY OTHER WEBSITE IN THE WORLD WHICH REQUIRES A LOGIN HAS THIS FUNCTIONALITY.... sorry i get a bit emotional about this, it really is ignorant they are not giving this any attention... there is multiple posts here requesting this, and the way it is currently implemented is stupid but noone seems to care much... guess noone is interested in making a better experience for users of their website besides you, I, and the few people who have downloaded my hack. it seems to have sadly gone down the path of many open source projects of only being interested in implementing new features, not fixing the broken ones which already exist

Author:	duvien [ Mon May 01, 2006 12:43 pm ]
Post subject:	Re: Lost Password Recovery WITHOUT username
This is certainly a welcome hack, many thanks for sharing. I just want to know is this for Joomla 1.0.8 and which VirtueMart version are you using this hack for? thank you, sunburst

Author:	gerrybakker [ Mon May 01, 2006 4:41 pm ]
Post subject:	Re: Lost Password Recovery WITHOUT username
This hack works great on my Joomla 1.08 install. sunburst - you're a Joomla hero - bring this to the attention of the other Joomla heros please and ramp this up to the attention it deserves. Maybe a loud noise from other heros will get their attention.

Author:	benneh [ Mon May 01, 2006 8:40 pm ]
Post subject:	Re: Lost Password Recovery WITHOUT username
g'day sunburst, thanks for taking an interest. i built this using the latest stable releases of both at the time, joomla 1.0.8 and virtuemart 1.0.4 Cheers.

Author:	duvien [ Mon May 01, 2006 9:33 pm ]
Post subject:	Re: Lost Password Recovery WITHOUT username
gerrybakker wrote: This hack works great on my Joomla 1.08 install. sunburst - you're a Joomla hero - bring this to the attention of the other Joomla heros please and ramp this up to the attention it deserves. Maybe a loud noise from other heros will get their attention. Don't worry, i believe this good work will get some attention it deserves. The devs do views many of the threads found on this forum too. However, this isn't a good time to be raving on about it as i think the devs are under pressure and working a very tight schudule of the release of J! 1.5 Beta that's due very soon, so please be patient. @ benneh, thanks for letting me know which version the hacks is for. thanks,

Author:	fatpat [ Tue May 02, 2006 12:59 am ]
Post subject:	Re: Lost Password Recovery WITHOUT username
Nice hack! Thanks! The only "problem" that I see is someone resetting other peoples passwords. Not really a big issue, but it could be a hassle. Maybe a 2-stage reset would be better. Request -> Email -> Confirm -> Reset Cheers! Patrick

Author:	gerrybakker [ Tue May 02, 2006 1:21 am ]
Post subject:	Re: Lost Password Recovery WITHOUT username
I dont see how anyone could reset other people's passwords because it only emails the new password to the person who needs to be able to access their own user account. The email doesn't go anywhere else or to anyone else. How could this be wrong. A 2 stage reset would not be any better because it would still be communicating with the proper email account in each stage of the confirmation. All a 2 stage reset would do is make it more work than it needs to be. Gerry

Author:	fatpat [ Tue May 02, 2006 1:26 am ]
Post subject:	Re: Lost Password Recovery WITHOUT username
No, when you've lost your password it's irrecoverable because of the one-way encryption so it must be reset to a random password. Either way, no big deal. I think this hack is much simpler for the end-user.

Author:	benneh [ Wed May 03, 2006 9:44 am ]
Post subject:	Re: Lost Password Recovery WITHOUT username
i agree fatpat your suggested way would be good. i would suggest that it works like so: user enters their email address and clicks reset password an email arrives with a hyperlink telling them to click it if they want to reset their password, and if they didnt request the reset to simply ignore the email when they click the reset link in the email, it takes them to a page where they can enter a new password and yep, it is good that joomla uses one way password hashes to verify and store passwords, i hate it when a website password reset utility sends me back my actual password because that means it is stored in cleartext somewhere...

Author:	SteveWR [ Tue May 09, 2006 9:52 am ]
Post subject:	Re: Lost Password Recovery WITHOUT username
Thanks for this hack. I have also changed the text in language/english.php to say that User Names can be recovered not just passwords.

Author:	Solhaug [ Tue Jun 13, 2006 8:10 pm ]
Post subject:	Re: Lost Password Recovery WITHOUT username
Nice hack I have installed it and it works, but the mail returned with the new password does not show the login user name, how do i enable that. i like the recovery e-mail to show both login and the reset password i'm running ver. 1.08 Solhaug

Author:	gerrybakker [ Tue Jun 13, 2006 9:27 pm ]
Post subject:	Re: Lost Password Recovery WITHOUT username
It works properly for me on Joomla 1.08 and Joomla 1.09 The email sent from mine looks like this: The user account gerrybakker has this email associated with it. A web user from http://www.legaldirectoryservices.com has just requested that a new password be sent. Your New Password is: AWWpgVCm If you didn't ask for this, don't worry. You are seeing this message, not them. If this was an error just login with your new password and then change your password to what you would like it to be. Also, the email Subject shows the username like this: "LegalDirectoryServices.com :: New password for - gerrybakker"

Author:	ot2sen [ Thu Jun 15, 2006 7:44 am ]
Post subject:	Re: Lost Password Recovery WITHOUT username
Solhaug wrote: Nice hack I have installed it and it works, but the mail returned with the new password does not show the login user name, how do i enable that. i like the recovery e-mail to show both login and the reset password i'm running ver. 1.08 Solhaug Hi Solhaug, That issue is not related to this nice hack, but actually an error in the local translation - My mistake Actually I managed to translate part of the string for fetching username but noone had noticed this throughout the whole 1.0x series, until now. The danish languagefile for 1.0.9 is now corrected and can be downloaded at the danish joomlaforge project Cheers, Ole

Author:	Solhaug [ Thu Jun 15, 2006 9:29 pm ]
Post subject:	Re: Lost Password Recovery WITHOUT username
You are right It is fixed now.

Author:	gypsydogg [ Fri Jun 16, 2006 4:13 am ]
Post subject:	Re: Lost Password Recovery WITHOUT username
I agree, this definately needed to be done. Unfortunately I can't use it because I am using community builder and it uses a different file com_comprofiler. Any chance of anyone taking a stab at this?? I would if I new PHP.

Author:	HansM [ Sun Jun 18, 2006 12:38 pm ]
Post subject:	Re: Lost Password Recovery WITHOUT username
Great idea to make this hack! There are too many things that are overdosed in our world especially in software. Nevertheless I must agree to the opinion that you it can be frustating, if anyone knowing your emailadress is able to send you new passwords all the time. Although I will start a new topic in this forum regarding a new question, I would like to add this question in here as well, because it's a question which is near to this topic. Here it is: Has anyone been able to drop the field username in the loginform? I think name only will do well for most websites. Who needs a separate username? I don't. I only use the login as registrationform for a newsletter for example. Secondly, is it possible to send new users a randomized password instead of using the inputfields "password"? Thanx for your idea.

Author:	MoJo2 [ Wed Jun 28, 2006 8:57 pm ]
Post subject:	Re: Lost Password Recovery WITHOUT username
I run 1.08 and i'm using comprofiler. In my case this hack don't work. Has somebody an Idea of how to change this when using comprofiler. I think these files need to be edited beacuase they contain info about passrecovey /www/components/comprofiler.html.php /www/components/comprofiler.php Thanks!

Author:	gypsydogg [ Wed Jun 28, 2006 10:34 pm ]
Post subject:	Re: Lost Password Recovery WITHOUT username
Ya that is the same problem I have comprofiler/community builder, same thing...Anybody have the skills to help us out?

Author:	japh [ Tue Jul 04, 2006 4:38 pm ]
Post subject:	Re: Lost Password Recovery WITHOUT username
fatpat wrote: Nice hack! Thanks! The only "problem" that I see is someone resetting other peoples passwords. Not really a big issue, but it could be a hassle. Maybe a 2-stage reset would be better. Request -> Email -> Confirm -> Reset Cheers! Patrick Hi all :) The "email only" password recovery isn't that hard to implement, even for my (very) limited knowledge of PHP. Basically remove the "username" field from the form and modify the query to ignore the "AND username=" ... :) Nice work, either way ;) About the "Request -> Email -> Confirm -> Reset" ... anyone has something of this type working ? I have a 4000+ users community, but there is always a dumb*** that thinks that resetting other user's passwords is funny ... Help ? ;-) Regards, Paulo Pinto

Remember that "" ends it.

On comprofiler.php, replace:

Quote:

if (!($user_id = $database->loadResult()) || !$checkusername || !$confirmEmail) {
mosRedirect(sefRelToAbs("index.php?option=$option&task=lostPassword"),_ERROR_PASS );
}

Quote:

if (!$user_id || !$confirmEmail) {
mosRedirect(sefRelToAbs("index.php?option=$option&task=lostPassword"),_ERROR_PASS );
}

I *think* that's all ... but you're on your own ..

Regards,

Author:	japh [ Tue Jul 04, 2006 4:47 pm ]
Post subject:	Re: Lost Password Recovery WITHOUT username
MoJo2 wrote: I run 1.08 and i'm using comprofiler. In my case this hack don't work. Has somebody an Idea of how to change this when using comprofiler. I think these files need to be edited beacuase they contain info about passrecovey /www/components/comprofiler.html.php /www/components/comprofiler.php Thanks! Eh ... if I'm not mistaken, on comprofiler.html.php, comment out the lines: Quote:

Author:	gypsydogg [ Tue Jul 04, 2006 7:29 pm ]
Post subject:	Re: Lost Password Recovery WITHOUT username
hmmm, I get no corrisponding username found....

Author:	japh [ Wed Jul 05, 2006 9:26 am ]
Post subject:	Re: Lost Password Recovery WITHOUT username
gypsydogg wrote: hmmm, I get no corrisponding username found.... cof I think I forgot something :-) Ok, here's the code for the beginning of section "function sendNewPass" from the comprofiler.php. Notice the remarked code and the correspondent substitutions. Hopefully that is all ... ;-) Quote: function sendNewPass( $option ) { global $database, $Itemid; global $ueConfig,$_PLUGINS; // ensure no malicous sql gets past // $checkusername = trim( mosGetParam( $_POST, 'checkusername', '') ); $confirmEmail = trim( mosGetParam( $_POST, 'confirmEmail', '') ); //$database->setQuery( "SELECT id FROM #__users" //. "\nWHERE username='$checkusername' AND email='$confirmEmail'" //); $database->setQuery( "SELECT id FROM #__users WHERE email='$confirmEmail'"); $user_id = $database->loadResult(); $database->setQuery( "SELECT username FROM #__users WHERE email='$confirmEmail'"); $checkusername = $database->loadResult(); //if (!($user_id = $database->loadResult()) \|\| !$checkusername \|\| !$confirmEmail) { // mosRedirect(sefRelToAbs("index.php?option=$option&task=lostPassword"),_ERROR_PASS ); //} if (!$user_id \|\| !$confirmEmail) { mosRedirect(sefRelToAbs("index.php?option=$option&task=lostPassword"),_ERROR_PASS ); } (...) And about the "Request -> Email -> Confirm -> Reset" ... anyone ? Regards,

Author:	SteveWR [ Wed Jul 05, 2006 1:37 pm ]
Post subject:	Re: Lost Password Recovery WITHOUT username
Is this hack still ok to use in 1.0.10? Thanks

Author:	japh [ Wed Jul 05, 2006 1:41 pm ]
Post subject:	Re: Lost Password Recovery WITHOUT username
The hack I've "pasted" is for comprofiler (Community Builder), over 1.0RC2 (dunno if there are changes on 1.0 final). Nothing to do with Joomla! "core" ... so I guess it doesn't matter if you're running 1.0.8 or 1.0.10 ... And about the "Request -> Email -> Confirm -> Reset" ... anyone has a solution for it

Author:	gypsydogg [ Wed Jul 05, 2006 5:39 pm ]
Post subject:	Re: Lost Password Recovery WITHOUT username
Making progress, it recognized the email address, and said it was sending a new email address, but I did not receive anything yet, it might be my settings as I am in a alpha phase of my site. I'll do a status update as soon as I find out.

Author:	gypsydogg [ Sat Jul 22, 2006 1:52 am ]
Post subject:	Re: Lost Password Recovery WITHOUT username
It does work!!! Hot Damn!!

Author:	japh [ Sat Jul 22, 2006 12:58 pm ]
Post subject:	Re: Lost Password Recovery WITHOUT username
Well.. it does work for me, so it should work for you too :P Either way, still waiting for someone to post anything for "Request -> Email -> Confirm -> Reset" thingy ... Regards,

Author:	gypsydogg [ Sat Jul 22, 2006 2:03 pm ]
Post subject:	Re: Lost Password Recovery WITHOUT username
Ahhhh I know what you mean, PHPnuke has that system. Works very well too.

Page 1 of 3	All times are UTC
Powered by phpBB © 2000, 2002, 2005, 2007 phpBB Group http://www.phpbb.com/