Lost Password Recovery WITHOUT username

Your code modifications and patches you want to share with others.
benneh
Joomla! Apprentice
Joomla! Apprentice
Posts: 19
Joined: Tue Jan 10, 2006 12:03 am

Lost Password Recovery WITHOUT username

Post by benneh » Wed Mar 29, 2006 9:31 am

I am running an ecommerce site with joomla with virtuemart, and wanted this functionality to make it easy for returning customers to retrieve their password, without having to also remember their password.

I do not agree with how this was implemented in the core, but no one seemed interested in making the modification, so I decided to have a go at writing it myself with what very little php knowledge I have...

This hack replaces the registration.html.php and registration.php in components/com_registration and requires ONLY their email address to perform a password reset, not username and password, because noone remembers what username they signed up with most of the time. I had to add some extra code to ensure the recovery email still sends the username however, as they still need the username to login successfully ;)

I hope someone else finds this useful.

Cheers,
Ben
You do not have the required permissions to view the files attached to this post.

gerrybakker
Joomla! Apprentice
Joomla! Apprentice
Posts: 18
Joined: Sat Jan 14, 2006 7:43 pm

Re: Lost Password Recovery WITHOUT username

Post by gerrybakker » Sun Apr 30, 2006 6:10 am

:D There should be an Icon for 2 thumbs up. ;D This hack is probably one of the most important and under appreciated features I have seen in the Mambo/Joomla world. This should be standard equipment on all Joomla installs.

I would like to know why this isn't the standard configuration for password recovery. The existing standard login is absolutely un-usable when you need to recover your password - the general public simply doesn't remember 2 months later which special combination of username and email address they used to sign up for your site membership and then you lose them as a user or you end up with multiple logins per user per site.

If you set the site's Global settings to require a unique email address per username and then use this hack you have the ideal USER FRIENDLY login system that sends the user both his username and password when all he can remember is his email address.

Come on everybody - get on the bandwagon and make some noise about this - let's make this the high profile issue that it deserves to be. If anyone can give me a really good reason why this hack is a bad idea - let me know.

benneh
Joomla! Apprentice
Joomla! Apprentice
Posts: 19
Joined: Tue Jan 10, 2006 12:03 am

Re: Lost Password Recovery WITHOUT username

Post by benneh » Mon May 01, 2006 10:46 am

Thanks for the kind comments Gerry. 

I honestly don't think there is interest from the powers that be for this to become part of the core distribution, despite the fact that ALMOST EVERY OTHER WEBSITE IN THE WORLD WHICH REQUIRES A LOGIN HAS THIS FUNCTIONALITY.... sorry i get a bit emotional about this, it really is ignorant they are not giving this any attention... there is multiple posts here requesting this, and the way it is currently implemented is stupid but noone seems to care much... guess noone is interested in making a better experience for users of their website besides you, I, and the few people who have downloaded my hack.

it seems to have sadly gone down the path of many open source projects of only being interested in implementing new features, not fixing the broken ones which already exist :(

User avatar
duvien
Joomla! Ace
Joomla! Ace
Posts: 1824
Joined: Sun Sep 18, 2005 8:28 pm
Location: Scotland
Contact:

Re: Lost Password Recovery WITHOUT username

Post by duvien » Mon May 01, 2006 12:43 pm

This is certainly a welcome hack, many thanks for sharing.

I just want to know is this for Joomla 1.0.8 and which VirtueMart version are you using this hack for?

thank you,

sunburst
Custom website design | blog | tutorials | Photography | Downloads
Freelance Web Designer/Developer: www.duvien.com

gerrybakker
Joomla! Apprentice
Joomla! Apprentice
Posts: 18
Joined: Sat Jan 14, 2006 7:43 pm

Re: Lost Password Recovery WITHOUT username

Post by gerrybakker » Mon May 01, 2006 4:41 pm

This hack works great on my Joomla 1.08 install.

sunburst - you're a Joomla hero - bring this to the attention of the other Joomla heros please and ramp this up to the attention it deserves. Maybe a loud noise from other heros will get their attention.

benneh
Joomla! Apprentice
Joomla! Apprentice
Posts: 19
Joined: Tue Jan 10, 2006 12:03 am

Re: Lost Password Recovery WITHOUT username

Post by benneh » Mon May 01, 2006 8:40 pm

g'day sunburst, thanks for taking an interest.  i built this using the latest stable releases of both at the time, joomla 1.0.8 and virtuemart 1.0.4

Cheers.

User avatar
duvien
Joomla! Ace
Joomla! Ace
Posts: 1824
Joined: Sun Sep 18, 2005 8:28 pm
Location: Scotland
Contact:

Re: Lost Password Recovery WITHOUT username

Post by duvien » Mon May 01, 2006 9:33 pm

gerrybakker wrote: This hack works great on my Joomla 1.08 install.

sunburst - you're a Joomla hero - bring this to the attention of the other Joomla heros please and ramp this up to the attention it deserves. Maybe a loud noise from other heros will get their attention.
Don't worry, i believe this good work will get some attention it deserves. The devs do views many of the threads found on this forum too. However, this isn't a good time to be raving on about it as i think the devs are under pressure and working a very tight schudule of the release of J! 1.5 Beta that's due very soon, so please be patient.

@ benneh, thanks for letting me know which version the hacks is for.

thanks,
Custom website design | blog | tutorials | Photography | Downloads
Freelance Web Designer/Developer: www.duvien.com

fatpat
Joomla! Apprentice
Joomla! Apprentice
Posts: 10
Joined: Tue Oct 04, 2005 1:42 am

Re: Lost Password Recovery WITHOUT username

Post by fatpat » Tue May 02, 2006 12:59 am

Nice hack!  Thanks!

The only "problem" that I see is someone resetting other peoples passwords.  Not really a big issue, but it could be a hassle.

Maybe a 2-stage reset would be better.

Request -> Email -> Confirm -> Reset

Cheers!
Patrick

gerrybakker
Joomla! Apprentice
Joomla! Apprentice
Posts: 18
Joined: Sat Jan 14, 2006 7:43 pm

Re: Lost Password Recovery WITHOUT username

Post by gerrybakker » Tue May 02, 2006 1:21 am

I dont see how anyone could reset other people's passwords because it only emails the new password to the person who needs to be able to access their own user account. The email doesn't go anywhere else or to anyone else. How could this be wrong.

A 2 stage reset would not be any better because it would still be communicating with the proper email account in each stage of the confirmation. All a 2 stage reset would do is make it more work than it needs to be.

Gerry

fatpat
Joomla! Apprentice
Joomla! Apprentice
Posts: 10
Joined: Tue Oct 04, 2005 1:42 am

Re: Lost Password Recovery WITHOUT username

Post by fatpat » Tue May 02, 2006 1:26 am

No, when you've lost your password it's irrecoverable because of the one-way encryption so it must be reset to a random password.

Either way, no big deal.  I think this hack is much simpler for the end-user.

benneh
Joomla! Apprentice
Joomla! Apprentice
Posts: 19
Joined: Tue Jan 10, 2006 12:03 am

Re: Lost Password Recovery WITHOUT username

Post by benneh » Wed May 03, 2006 9:44 am

i agree fatpat your suggested way would be good.  i would suggest that it works like so:
  • user enters their email address and clicks reset password
  • an email arrives with a hyperlink telling them to click it if they want to reset their password, and if they didnt request the reset to simply ignore the email
  • when they click the reset link in the email, it takes them to a page where they can enter a new password
and yep, it is good that joomla uses one way password hashes to verify and store passwords, i hate it when a website password reset utility sends me back my actual password because that means it is stored in cleartext somewhere...

User avatar
SteveWR
Joomla! Apprentice
Joomla! Apprentice
Posts: 44
Joined: Wed Nov 16, 2005 10:16 am
Location: Essex, UK

Re: Lost Password Recovery WITHOUT username

Post by SteveWR » Tue May 09, 2006 9:52 am

Thanks for this hack.

I have also changed the text in language/english.php to say that User Names can be recovered not just passwords.
Steve

Solhaug
Joomla! Intern
Joomla! Intern
Posts: 58
Joined: Mon May 08, 2006 6:05 pm

Re: Lost Password Recovery WITHOUT username

Post by Solhaug » Tue Jun 13, 2006 8:10 pm

Nice hack

I have installed it and it works, but the mail returned with the new password does not show the login user name, how do i enable that.

i like the recovery e-mail to show both login and the reset password

i'm running ver. 1.08

Solhaug

gerrybakker
Joomla! Apprentice
Joomla! Apprentice
Posts: 18
Joined: Sat Jan 14, 2006 7:43 pm

Re: Lost Password Recovery WITHOUT username

Post by gerrybakker » Tue Jun 13, 2006 9:27 pm

It works properly for me on Joomla 1.08 and Joomla 1.09
The email sent from mine looks like this:

The user account gerrybakker has this email associated with it.
A web user from http://www.legaldirectoryservices.com has just requested that a new
password be sent.

Your New Password is: AWWpgVCm

If you didn't ask for this, don't worry. You are seeing this message, not them. If
this was an error just login with your new password and then change your password to
what you would like it to be.


Also, the email Subject shows the username like this:
"LegalDirectoryServices.com :: New password for - gerrybakker"
Last edited by gerrybakker on Tue Jun 13, 2006 9:49 pm, edited 1 time in total.

User avatar
ot2sen
Joomla! Master
Joomla! Master
Posts: 10421
Joined: Thu Aug 18, 2005 9:58 am
Location: Hillerød - Denmark
Contact:

Re: Lost Password Recovery WITHOUT username

Post by ot2sen » Thu Jun 15, 2006 7:44 am

Solhaug wrote: Nice hack

I have installed it and it works, but the mail returned with the new password does not show the login user name, how do i enable that.

i like the recovery e-mail to show both login and the reset password

i'm running ver. 1.08

Solhaug
Hi Solhaug,

That issue is not related to this nice hack, but actually an error in the local translation - My mistake  :-[
Actually I managed to translate part of the string for fetching username but noone had noticed this throughout the whole 1.0x series, until now.

The danish languagefile for 1.0.9 is now corrected and can be downloaded at the danish joomlaforge project

Cheers,
Ole
Last edited by ot2sen on Thu Jun 15, 2006 8:44 am, edited 1 time in total.
Ole Bang Ottosen
Dansk frivillig Joomla! support websted - joomla.dk
OpenTranslators Core Team opentranslators.org

Solhaug
Joomla! Intern
Joomla! Intern
Posts: 58
Joined: Mon May 08, 2006 6:05 pm

Re: Lost Password Recovery WITHOUT username

Post by Solhaug » Thu Jun 15, 2006 9:29 pm

You are right  :D

It is fixed now.

gypsydogg
Joomla! Apprentice
Joomla! Apprentice
Posts: 21
Joined: Fri Jun 16, 2006 12:12 am

Re: Lost Password Recovery WITHOUT username

Post by gypsydogg » Fri Jun 16, 2006 4:13 am

I agree, this definately needed to be done.  Unfortunately I can't use it because I am using community builder and it uses a different file com_comprofiler.  Any chance of anyone taking a stab at this??  I would if I new PHP.
Signature rules: Literal URLs only - http://forum.joomla.org/viewtopic.php?f=8&t=65

HansM
Joomla! Fledgling
Joomla! Fledgling
Posts: 4
Joined: Sun Jun 18, 2006 12:20 pm

Re: Lost Password Recovery WITHOUT username

Post by HansM » Sun Jun 18, 2006 12:38 pm

Great idea to make this hack!
There are too many things that are overdosed in our world especially in software.
Nevertheless I must agree to the opinion that you it can be frustating, if anyone knowing your emailadress is able to send you new passwords all the time.

Although I will start a new topic in this forum regarding a new question, I would like to add this question in here as well, because it's a question which is near to this topic. Here it is:

Has anyone been able to drop the field username in the loginform? I think name only will do well for most websites. Who needs a separate username? I don't. I only use the login as registrationform for a newsletter for example.
Secondly, is it possible to send new users a randomized password instead of using the inputfields "password"?

Thanx for your idea.

MoJo2
Joomla! Apprentice
Joomla! Apprentice
Posts: 10
Joined: Mon Jun 05, 2006 9:28 am

Re: Lost Password Recovery WITHOUT username

Post by MoJo2 » Wed Jun 28, 2006 8:57 pm

I run 1.08 and i'm using comprofiler.
In my case this hack don't work.

Has somebody an Idea of how to change this when using comprofiler.

I think these files need to be edited beacuase they contain info about passrecovey
/www/components/comprofiler.html.php
/www/components/comprofiler.php

Thanks!

gypsydogg
Joomla! Apprentice
Joomla! Apprentice
Posts: 21
Joined: Fri Jun 16, 2006 12:12 am

Re: Lost Password Recovery WITHOUT username

Post by gypsydogg » Wed Jun 28, 2006 10:34 pm

Ya that is the same problem I have comprofiler/community builder, same thing...Anybody have the skills to help us out?
Signature rules: Literal URLs only - http://forum.joomla.org/viewtopic.php?f=8&t=65

japh
Joomla! Apprentice
Joomla! Apprentice
Posts: 8
Joined: Mon Jul 03, 2006 9:58 pm

Re: Lost Password Recovery WITHOUT username

Post by japh » Tue Jul 04, 2006 4:38 pm

fatpat wrote: Nice hack!  Thanks!

The only "problem" that I see is someone resetting other peoples passwords.  Not really a big issue, but it could be a hassle.

Maybe a 2-stage reset would be better.

Request -> Email -> Confirm -> Reset

Cheers!
Patrick
Hi all :)

The "email only" password recovery isn't that *hard* to implement, even for my (very) limited knowledge of PHP. Basically remove the "username" field from the form and modify the query to ignore the "AND username=" ... :)
Nice work, either way ;)

About the "Request -> Email -> Confirm -> Reset" ... anyone has something of this type working ? I have a 4000+ users community, but there is always a dumb*** that thinks that resetting other user's passwords is funny ...

Help ? ;-)

Regards,

Paulo Pinto

japh
Joomla! Apprentice
Joomla! Apprentice
Posts: 8
Joined: Mon Jul 03, 2006 9:58 pm

Re: Lost Password Recovery WITHOUT username

Post by japh » Tue Jul 04, 2006 4:47 pm

MoJo2 wrote: I run 1.08 and i'm using comprofiler.
In my case this hack don't work.

Has somebody an Idea of how to change this when using comprofiler.

I think these files need to be edited beacuase they contain info about passrecovey
/www/components/comprofiler.html.php
/www/components/comprofiler.php

Thanks!
Eh ... if I'm not mistaken, on comprofiler.html.php, comment out the lines:
   
     
     
   
Remember that "" ends it.

On comprofiler.php, replace:
        if (!($user_id = $database->loadResult()) || !$checkusername || !$confirmEmail) {
              mosRedirect(sefRelToAbs("index.php?option=$option&task=lostPassword"),_ERROR_PASS );
        }
by
        if (!$user_id  || !$confirmEmail) {
                mosRedirect(sefRelToAbs("index.php?option=$option&task=lostPassword"),_ERROR_PASS );
        }
I *think* that's all ... but you're on your own .. ;)

Regards,

gypsydogg
Joomla! Apprentice
Joomla! Apprentice
Posts: 21
Joined: Fri Jun 16, 2006 12:12 am

Re: Lost Password Recovery WITHOUT username

Post by gypsydogg » Tue Jul 04, 2006 7:29 pm

hmmm, I get no corrisponding username found....
Signature rules: Literal URLs only - http://forum.joomla.org/viewtopic.php?f=8&t=65

japh
Joomla! Apprentice
Joomla! Apprentice
Posts: 8
Joined: Mon Jul 03, 2006 9:58 pm

Re: Lost Password Recovery WITHOUT username

Post by japh » Wed Jul 05, 2006 9:26 am

gypsydogg wrote: hmmm, I get no corrisponding username found....
*cof* I think I forgot something :-)

Ok, here's the code for the beginning of section "function sendNewPass" from the comprofiler.php. Notice the remarked code and the correspondent substitutions. Hopefully that is all ... ;-)
function sendNewPass( $option ) {
        global $database, $Itemid;
        global $ueConfig,$_PLUGINS;

        // ensure no malicous sql gets past
        // $checkusername = trim( mosGetParam( $_POST, 'checkusername', '') );
        $confirmEmail = trim( mosGetParam( $_POST, 'confirmEmail', '') );

        //$database->setQuery( "SELECT id FROM #__users"
        //. "\nWHERE username='$checkusername' AND email='$confirmEmail'"
        //);
        $database->setQuery( "SELECT id FROM #__users
                              WHERE email='$confirmEmail'");
        $user_id = $database->loadResult();
        $database->setQuery( "SELECT username FROM #__users
                              WHERE email='$confirmEmail'");
        $checkusername = $database->loadResult();


        //if (!($user_id = $database->loadResult()) || !$checkusername || !$confirmEmail) {
        //      mosRedirect(sefRelToAbs("index.php?option=$option&task=lostPassword"),_ERROR_PASS );
        //}

        if (!$user_id  || !$confirmEmail) {
                mosRedirect(sefRelToAbs("index.php?option=$option&task=lostPassword"),_ERROR_PASS );
        }
(...)
And about the "Request -> Email -> Confirm -> Reset" ... anyone ? :(

Regards,

User avatar
SteveWR
Joomla! Apprentice
Joomla! Apprentice
Posts: 44
Joined: Wed Nov 16, 2005 10:16 am
Location: Essex, UK

Re: Lost Password Recovery WITHOUT username

Post by SteveWR » Wed Jul 05, 2006 1:37 pm

Is this hack still ok to use in 1.0.10?



Thanks
Steve

japh
Joomla! Apprentice
Joomla! Apprentice
Posts: 8
Joined: Mon Jul 03, 2006 9:58 pm

Re: Lost Password Recovery WITHOUT username

Post by japh » Wed Jul 05, 2006 1:41 pm

The hack I've "pasted" is for comprofiler (Community Builder), over 1.0RC2 (dunno if there are changes on 1.0 final).

Nothing to do with Joomla! "core" ... so I guess it doesn't matter if you're running 1.0.8 or 1.0.10 ...


And about the "Request -> Email -> Confirm -> Reset" ... anyone has a solution for it ???  :'(

gypsydogg
Joomla! Apprentice
Joomla! Apprentice
Posts: 21
Joined: Fri Jun 16, 2006 12:12 am

Re: Lost Password Recovery WITHOUT username

Post by gypsydogg » Wed Jul 05, 2006 5:39 pm

Making progress, it recognized the email address, and said it was sending a new email address, but I did not receive anything yet, it might be my settings as I am in a alpha phase of my site.  I'll do a status update as soon as I find out.
Signature rules: Literal URLs only - http://forum.joomla.org/viewtopic.php?f=8&t=65

gypsydogg
Joomla! Apprentice
Joomla! Apprentice
Posts: 21
Joined: Fri Jun 16, 2006 12:12 am

Re: Lost Password Recovery WITHOUT username

Post by gypsydogg » Sat Jul 22, 2006 1:52 am

It does work!!!  Hot Damn!!
Signature rules: Literal URLs only - http://forum.joomla.org/viewtopic.php?f=8&t=65

japh
Joomla! Apprentice
Joomla! Apprentice
Posts: 8
Joined: Mon Jul 03, 2006 9:58 pm

Re: Lost Password Recovery WITHOUT username

Post by japh » Sat Jul 22, 2006 12:58 pm

Well.. it does work for me, so it should work for you too :P

Either way, still waiting for someone to post anything for "Request -> Email -> Confirm -> Reset" thingy ...

Regards,

gypsydogg
Joomla! Apprentice
Joomla! Apprentice
Posts: 21
Joined: Fri Jun 16, 2006 12:12 am

Re: Lost Password Recovery WITHOUT username

Post by gypsydogg » Sat Jul 22, 2006 2:03 pm

Ahhhh I know what you mean, PHPnuke has that system.  Works very well too.
Signature rules: Literal URLs only - http://forum.joomla.org/viewtopic.php?f=8&t=65


Locked

Return to “Core Hacks and Patches”