Lost Password Recovery WITHOUT username

[benneh]

I am running an ecommerce site with joomla with virtuemart, and wanted this functionality to make it easy for returning customers to retrieve their password, without having to also remember their password.

I do not agree with how this was implemented in the core, but no one seemed interested in making the modification, so I decided to have a go at writing it myself with what very little php knowledge I have...

This hack replaces the registration.html.php and registration.php in components/com_registration and requires ONLY their email address to perform a password reset, not username and password, because noone remembers what username they signed up with most of the time. I had to add some extra code to ensure the recovery email still sends the username however, as they still need the username to login successfully

I hope someone else finds this useful.

Cheers,
Ben

[gerrybakker]

There should be an Icon for 2 thumbs up. This hack is probably one of the most important and under appreciated features I have seen in the Mambo/Joomla world. This should be standard equipment on all Joomla installs.

I would like to know why this isn't the standard configuration for password recovery. The existing standard login is absolutely un-usable when you need to recover your password - the general public simply doesn't remember 2 months later which special combination of username and email address they used to sign up for your site membership and then you lose them as a user or you end up with multiple logins per user per site.

If you set the site's Global settings to require a unique email address per username and then use this hack you have the ideal USER FRIENDLY login system that sends the user both his username and password when all he can remember is his email address.

Come on everybody - get on the bandwagon and make some noise about this - let's make this the high profile issue that it deserves to be. If anyone can give me a really good reason why this hack is a bad idea - let me know.

[benneh]

Thanks for the kind comments Gerry. 

I honestly don't think there is interest from the powers that be for this to become part of the core distribution, despite the fact that ALMOST EVERY OTHER WEBSITE IN THE WORLD WHICH REQUIRES A LOGIN HAS THIS FUNCTIONALITY.... sorry i get a bit emotional about this, it really is ignorant they are not giving this any attention... there is multiple posts here requesting this, and the way it is currently implemented is stupid but noone seems to care much... guess noone is interested in making a better experience for users of their website besides you, I, and the few people who have downloaded my hack.

it seems to have sadly gone down the path of many open source projects of only being interested in implementing new features, not fixing the broken ones which already exist

[duvien]

This is certainly a welcome hack, many thanks for sharing.

I just want to know is this for Joomla 1.0.8 and which VirtueMart version are you using this hack for?

thank you,

sunburst

[gerrybakker]

This hack works great on my Joomla 1.08 install.

sunburst - you're a Joomla hero - bring this to the attention of the other Joomla heros please and ramp this up to the attention it deserves. Maybe a loud noise from other heros will get their attention.

[benneh]

g'day sunburst, thanks for taking an interest.  i built this using the latest stable releases of both at the time, joomla 1.0.8 and virtuemart 1.0.4

Cheers.

[duvien]

This hack works great on my Joomla 1.08 install.

sunburst - you're a Joomla hero - bring this to the attention of the other Joomla heros please and ramp this up to the attention it deserves. Maybe a loud noise from other heros will get their attention.

Don't worry, i believe this good work will get some attention it deserves. The devs do views many of the threads found on this forum too. However, this isn't a good time to be raving on about it as i think the devs are under pressure and working a very tight schudule of the release of J! 1.5 Beta that's due very soon, so please be patient.

@ benneh, thanks for letting me know which version the hacks is for.

thanks,

[fatpat]

Nice hack!  Thanks!

The only "problem" that I see is someone resetting other peoples passwords.  Not really a big issue, but it could be a hassle.

Maybe a 2-stage reset would be better.

Request -> Email -> Confirm -> Reset

Cheers!
Patrick

[gerrybakker]

I dont see how anyone could reset other people's passwords because it only emails the new password to the person who needs to be able to access their own user account. The email doesn't go anywhere else or to anyone else. How could this be wrong.

A 2 stage reset would not be any better because it would still be communicating with the proper email account in each stage of the confirmation. All a 2 stage reset would do is make it more work than it needs to be.

Gerry

[fatpat]

No, when you've lost your password it's irrecoverable because of the one-way encryption so it must be reset to a random password.

Either way, no big deal.  I think this hack is much simpler for the end-user.

[benneh]

i agree fatpat your suggested way would be good.  i would suggest that it works like so:

• user enters their email address and clicks reset password
• an email arrives with a hyperlink telling them to click it if they want to reset their password, and if they didnt request the reset to simply ignore the email
• when they click the reset link in the email, it takes them to a page where they can enter a new password

and yep, it is good that joomla uses one way password hashes to verify and store passwords, i hate it when a website password reset utility sends me back my actual password because that means it is stored in cleartext somewhere...

[SteveWR]

Thanks for this hack.

I have also changed the text in language/english.php to say that User Names can be recovered not just passwords.

[Solhaug]

Nice hack

I have installed it and it works, but the mail returned with the new password does not show the login user name, how do i enable that.

i like the recovery e-mail to show both login and the reset password

i'm running ver. 1.08

Solhaug

[gerrybakker]

It works properly for me on Joomla 1.08 and Joomla 1.09
The email sent from mine looks like this:

The user account gerrybakker has this email associated with it.
A web user from http://www.legaldirectoryservices.com has just requested that a new
password be sent.

Your New Password is: AWWpgVCm

If you didn't ask for this, don't worry. You are seeing this message, not them. If
this was an error just login with your new password and then change your password to
what you would like it to be.


Also, the email Subject shows the username like this:
"LegalDirectoryServices.com :: New password for - gerrybakker"

[ot2sen]

Nice hack

I have installed it and it works, but the mail returned with the new password does not show the login user name, how do i enable that.

i like the recovery e-mail to show both login and the reset password

i'm running ver. 1.08

Solhaug

Hi Solhaug,

That issue is not related to this nice hack, but actually an error in the local translation - My mistake 
Actually I managed to translate part of the string for fetching username but noone had noticed this throughout the whole 1.0x series, until now.

The danish languagefile for 1.0.9 is now corrected and can be downloaded at the danish joomlaforge project

Cheers,
Ole

[Solhaug]

You are right 

It is fixed now.

[gypsydogg]

I agree, this definately needed to be done.  Unfortunately I can't use it because I am using community builder and it uses a different file com_comprofiler.  Any chance of anyone taking a stab at this??  I would if I new PHP.

[HansM]

Great idea to make this hack!
There are too many things that are overdosed in our world especially in software.
Nevertheless I must agree to the opinion that you it can be frustating, if anyone knowing your emailadress is able to send you new passwords all the time.

Although I will start a new topic in this forum regarding a new question, I would like to add this question in here as well, because it's a question which is near to this topic. Here it is:

Has anyone been able to drop the field username in the loginform? I think name only will do well for most websites. Who needs a separate username? I don't. I only use the login as registrationform for a newsletter for example.
Secondly, is it possible to send new users a randomized password instead of using the inputfields "password"?

Thanx for your idea.

[MoJo2]

I run 1.08 and i'm using comprofiler.
In my case this hack don't work.

Has somebody an Idea of how to change this when using comprofiler.

I think these files need to be edited beacuase they contain info about passrecovey
/www/components/comprofiler.html.php
/www/components/comprofiler.php

Thanks!

[gypsydogg]

Ya that is the same problem I have comprofiler/community builder, same thing...Anybody have the skills to help us out?

[japh]

Nice hack!  Thanks!

The only "problem" that I see is someone resetting other peoples passwords.  Not really a big issue, but it could be a hassle.

Maybe a 2-stage reset would be better.

Request -> Email -> Confirm -> Reset

Cheers!
Patrick

Hi all

The "email only" password recovery isn't that *hard* to implement, even for my (very) limited knowledge of PHP. Basically remove the "username" field from the form and modify the query to ignore the "AND username=" ...
Nice work, either way

About the "Request -> Email -> Confirm -> Reset" ... anyone has something of this type working ? I have a 4000+ users community, but there is always a dumb*** that thinks that resetting other user's passwords is funny ...

Help ? ;-)

Regards,

Paulo Pinto

[japh]

I run 1.08 and i'm using comprofiler.
In my case this hack don't work.

Has somebody an Idea of how to change this when using comprofiler.

I think these files need to be edited beacuase they contain info about passrecovey
/www/components/comprofiler.html.php
/www/components/comprofiler.php

Thanks!

Eh ... if I'm not mistaken, on comprofiler.html.php, comment out the lines:

   
     
     
   

Remember that "" ends it.

On comprofiler.php, replace:

        if (!($user_id = $database->loadResult()) || !$checkusername || !$confirmEmail) {
              mosRedirect(sefRelToAbs("index.php?option=$option&task=lostPassword"),_ERROR_PASS );
        }

by

        if (!$user_id  || !$confirmEmail) {
                mosRedirect(sefRelToAbs("index.php?option=$option&task=lostPassword"),_ERROR_PASS );
        }

I *think* that's all ... but you're on your own ..

Regards,

[gypsydogg]

hmmm, I get no corrisponding username found....

[japh]

hmmm, I get no corrisponding username found....

*cof* I think I forgot something :-)

Ok, here's the code for the beginning of section "function sendNewPass" from the comprofiler.php. Notice the remarked code and the correspondent substitutions. Hopefully that is all ... ;-)

function sendNewPass( $option ) {
        global $database, $Itemid;
        global $ueConfig,$_PLUGINS;

        // ensure no malicous sql gets past
        // $checkusername = trim( mosGetParam( $_POST, 'checkusername', '') );
        $confirmEmail = trim( mosGetParam( $_POST, 'confirmEmail', '') );

        //$database->setQuery( "SELECT id FROM #__users"
        //. "\nWHERE username='$checkusername' AND email='$confirmEmail'"
        //);
        $database->setQuery( "SELECT id FROM #__users
                              WHERE email='$confirmEmail'");
        $user_id = $database->loadResult();
        $database->setQuery( "SELECT username FROM #__users
                              WHERE email='$confirmEmail'");
        $checkusername = $database->loadResult();


        //if (!($user_id = $database->loadResult()) || !$checkusername || !$confirmEmail) {
        //      mosRedirect(sefRelToAbs("index.php?option=$option&task=lostPassword"),_ERROR_PASS );
        //}

        if (!$user_id  || !$confirmEmail) {
                mosRedirect(sefRelToAbs("index.php?option=$option&task=lostPassword"),_ERROR_PASS );
        }
(...)

And about the "Request -> Email -> Confirm -> Reset" ... anyone ?

Regards,

[SteveWR]

Is this hack still ok to use in 1.0.10?



Thanks

[japh]

The hack I've "pasted" is for comprofiler (Community Builder), over 1.0RC2 (dunno if there are changes on 1.0 final).

Nothing to do with Joomla! "core" ... so I guess it doesn't matter if you're running 1.0.8 or 1.0.10 ...


And about the "Request -> Email -> Confirm -> Reset" ... anyone has a solution for it  

[gypsydogg]

Making progress, it recognized the email address, and said it was sending a new email address, but I did not receive anything yet, it might be my settings as I am in a alpha phase of my site.  I'll do a status update as soon as I find out.

[gypsydogg]

It does work!!!  Hot Damn!!

[japh]

Well.. it does work for me, so it should work for you too :P

Either way, still waiting for someone to post anything for "Request -> Email -> Confirm -> Reset" thingy ...

Regards,

[gypsydogg]

Ahhhh I know what you mean, PHPnuke has that system.  Works very well too.