Best Way To Handle Chanes

Place for questions and answers for all newcomers and new coders. This is a free for all forum, no question is too stupid and to noob.
Post Reply
Aleeious
Posts: 55
Joined: Tue Sep 13, 2011 1:22 pm

Best Way To Handle Chanes

Post by Aleeious »

What is the best way to handle password resets, password changes and email changes? Right now for password resets i simply reset the password and email the new password. This however means someone can easily lock someone out by asking for a password reset as another user. For password changes i simply change the password. I haven't come up with a way to handle email changes as anyone who can log in as the user can simply change the users email and "steal the account". Any assistance in this matter would be greatly appreciated.

Sincerely,

Aleeious
User avatar
a_bertrand
Posts: 1537
Joined: Mon Feb 25, 2013 1:46 pm

Re: Best Way To Handle Chanes

Post by a_bertrand »

A password reset should be done like that:
Somebody ask a password reset
You send to the registered mail a link with a unique url (like with an ID or something)
The player click this link, and is asked to provide 2x a new password.

Therefore you can't reset the password for somebody else as until the owner of the mailbox don't click the link nothing happen.

Email changes, can vary, from not possible, to send again an email to the email with an unique link, or directly accept a new email. That's all up to you.
Creator of Dot World Maker
Mad programmer and annoying composer
Aleeious
Posts: 55
Joined: Tue Sep 13, 2011 1:22 pm

Re: Best Way To Handle Chanes

Post by Aleeious »

a_bertrand wrote:A password reset should be done like that:
Somebody ask a password reset
You send to the registered mail a link with a unique url (like with an ID or something)
The player click this link, and is asked to provide 2x a new password.

Therefore you can't reset the password for somebody else as until the owner of the mailbox don't click the link nothing happen.

Email changes, can vary, from not possible, to send again an email to the email with an unique link, or directly accept a new email. That's all up to you.
How would i handle the unique url like thing? I've seen then before but, I can't figure out how to do it. I would imagine there would be a field in the database to hold the unique id, but how do i handle after the user has changed his password, do i set it to 0 or blank?

Sincerely,

Aleeious
User avatar
a_bertrand
Posts: 1537
Joined: Mon Feb 25, 2013 1:46 pm

Re: Best Way To Handle Chanes

Post by a_bertrand »

Either when the request of the reset is done, you generate a random string or number and save it on the DB as well as send it to the email, or you use like an MD5 of the username + some internal known string which mean that would be a unique URL for this user.
Creator of Dot World Maker
Mad programmer and annoying composer
Aleeious
Posts: 55
Joined: Tue Sep 13, 2011 1:22 pm

Re: Best Way To Handle Chanes

Post by Aleeious »

a_bertrand wrote:Either when the request of the reset is done, you generate a random string or number and save it on the DB as well as send it to the email, or you use like an MD5 of the username + some internal known string which mean that would be a unique URL for this user.
Thanks, now how should i handle email changes? Right now i require the current password to change it. Should i leave it as is or should i implement it the same way i did with the password? Any assistance in this matter would be greatly appreciated.

Sincerely,

Aleeious
User avatar
a_bertrand
Posts: 1537
Joined: Mon Feb 25, 2013 1:46 pm

Re: Best Way To Handle Chanes

Post by a_bertrand »

Read back my posts... I answered you already.
Creator of Dot World Maker
Mad programmer and annoying composer
User avatar
KyleMassacre
Posts: 573
Joined: Wed Nov 27, 2013 12:42 pm

Re: Best Way To Handle Chanes

Post by KyleMassacre »

I would say that you should always ask for the current password when doing any sort of preference changes whether it be password or email. If the player has his account compromised then there is really nothing you can do about it. If it's a password reset maybe what I would do is ask for the username and email address for the account and always send whatever your going to send (some sort of unique key) to the email that's associated with the account and not what the user types in and verify its correct before sending it.

And like is said, if a bad guy has access to the account he's trying to change then you have bigger problems.
Aleeious
Posts: 55
Joined: Tue Sep 13, 2011 1:22 pm

Re: Best Way To Handle Chanes

Post by Aleeious »

a_bertrand wrote:Read back my posts... I answered you already.
I was referring to the email not the password in my latest post

.
KyleMassacre wrote:I would say that you should always ask for the current password when doing any sort of preference changes whether it be password or email. If the player has his account compromised then there is really nothing you can do about it. If it's a password reset maybe what I would do is ask for the username and email address for the account and always send whatever your going to send (some sort of unique key) to the email that's associated with the account and not what the user types in and verify its correct before sending it.

And like is said, if a bad guy has access to the account he's trying to change then you have bigger problems.
I do this already, but i guess i can simply change the email without any type of confirmation as you said, if the account is compromised there isn't really anything i can do :(

Sincerely,

Aleeious
User avatar
a_bertrand
Posts: 1537
Joined: Mon Feb 25, 2013 1:46 pm

Re: Best Way To Handle Chanes

Post by a_bertrand »

And I was telling you I answered you on the first post of mine
Email changes, can vary, from not possible, to send again an email to the email with an unique link, or directly accept a new email. That's all up to you.
Creator of Dot World Maker
Mad programmer and annoying composer
Aleeious
Posts: 55
Joined: Tue Sep 13, 2011 1:22 pm

Re: Best Way To Handle Chanes

Post by Aleeious »

a_bertrand wrote:And I was telling you I answered you on the first post of mine
Email changes, can vary, from not possible, to send again an email to the email with an unique link, or directly accept a new email. That's all up to you.
Sorry I missed that part. How do you current handle changing the email address in your script?

Sincerely,

Aleeious
Post Reply

Return to “Beginner Help and Support”