thies/loginpagefoo
Template
1
0
Fork 0
Code Issues 4 Pull Requests Actions Packages Projects Releases Wiki Activity

introducing resetpass

Browse Source
This commit is contained in:
Thies Mueller 2021-01-08 18:44:44 +01:00
parent 1dce630341
commit 9c641b8b89
2 changed files with 61 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
forgotpass.php
View File

@ -40,7 +40,7 @@ if(isset($_GET['send']) ) {
$mailrcpt = $user['email']; $mailrcpt = $user['email'];
$mailsubject = "New password for your User"; $mailsubject = "New password for your User";
$from = "From: Password Reset Service <resetmypw@invalid.example.com>"; //place a real address if we use this in production $from = "From: Password Reset Service <resetmypw@invalid.example.com>"; //place a real address if we use this in production
$url_passwordcode = 'https://loginpagefoo.td00.de/forgotpass.php?userid='.$user['id'].'&code='.$passwordcode; //this shouldnt be my domain in prod.. $url_passwordcode = 'https://loginpagefoo.td00.de/resetpass.php?userid='.$user['id'].'&code='.$passwordcode; //this shouldnt be my domain in prod..
$text = 'Hallo '.$user['username'].', $text = 'Hallo '.$user['username'].',
please use the following URL to change your password in the next 24h: please use the following URL to change your password in the next 24h:
'.$url_passwordcode.' '.$url_passwordcode.'

60
resetpass.php Normal file
View File

@ -0,0 +1,60 @@
<?php
$pdo = new PDO('mysql:host=localhost;dbname=usertable', 'usertable', 'password');
if(!isset($_GET['userid']) || !isset($_GET['code'])) {
die("No code delivered. nothing to do here.");
}
$userid = $_GET['userid'];
$code = $_GET['code'];
$statement = $pdo->prepare("SELECT * FROM users WHERE id = :userid");
$result = $statement->execute(array('userid' => $userid));
$user = $statement->fetch();
//check if theres a code for the user delivered
if($user === null || $user['passwordcode'] === null) {
die("No User matching your request.");
}
if($user['passwordcode_time'] === null || strtotime($user['passwordcode_time']) < (time()-24*3600) ) {
die("Ooops. This code isn't valid anymore.");
}
if(sha1($code) != $user['passwordcode']) {
die("Thats not your code. Naughty user!");
}
if(isset($_GET['send'])) {
$password = $_POST['password'];
$password_confirm = $_POST['password_confirm'];
if($password != $password_confirm) {
echo "password or confirmed password wrong";
} else {
$passwordhash = password_hash($password, PASSWORD_DEFAULT);
$statement = $pdo->prepare("UPDATE users SET password = :passwordhash, passwordcode = NULL, passwordcode_time = NULL WHERE id = :userid");
$result = $statement->execute(array('passwordhash' => $passwordhash, 'userid'=> $userid ));
if($result) {
die('Changed password. Please goto <a href="login.php">login</a> now.');
}
}
}
?>
<h1>Set new password</h1>
<form action="?send=1&amp;userid=<?php echo htmlentities($userid); ?>&amp;code=<?php echo htmlentities($code); ?>" method="post">
Please enter new password:<br>
<input type="password" name="password"><br><br>
Confirm new password:<br>
<input type="password" name="password_confirm"><br><br>
<input type="submit" value="save change">
</form>