Implementing the forgotten-password recovery application The forgotten-password recovery application implements the methods: ◆ resetPasswordDriver: This method uses the global form varia
Trang 1Figure 6-6: Flow diagram of the forgotten-password recovery application.
Start
End
No
Yes
Yes
Yes
Step = 1?
Does email address belong
to a user?
Get email address
Is the request_checksum valid?
Is password OK?
Get new password from user
Store encrypted password
Send email to user with an URL that contains:
user_id request_checksum step = 2
Trang 2Implementing the forgotten-password recovery application
The forgotten-password recovery application implements the methods:
◆ resetPasswordDriver(): This method uses the global form variable,
$step, to determine phases of the forgotten password recovery process.
The tasks performed by this method are as follows:
1 When $stepis unset, the first step in the process is assumed and the user is provided an interface to enter her username (EMAIL) address.
2 When the user has entered the username, the interface supplies a new
value (2) for $step, which is embedded as a hidden field within the HTML form displayed in the first step.
3 In the second step, the method calls sendEmail()to send an e-mail to the user with a link that enables her to return to this application and enter the third step.
4 When the user clicks on the e-mailed link, a user interface that enables
the user to change her password is presented Submitting the new pass-word with the confirmation passpass-word makes the method enter the final step.
5 In the final step, the method calls resetPassword()to reset the exist-ing password with the newly entered password.
◆ resetPassword(): This method performs the actual task of resetting the
existing password to the newly entered password It works as follows:
1 It uses getCheckSum()to calculate the checksum of the request, and then compares it with the given checksum If they don’t match, the application shows an alert message and returns the user to the last screen.
2 It uses checkPassword()to check the password for length and dummy password issues.
3 It creates a two-character salt using two random characters, and then
encrypts the user-entered password, adding it to an associative array called $hash.
Trang 34 It creates a User object, $userObj, and calls getUserInfo()to load the user information.
5 It calls updateUser()with $hashas the parameter updateUser() performs the actual database operation of updating the password It only updates the password because $hashcontains only the password information.
6 It displays the appropriate success or failure status message.
◆ email(): This method is called by showScreen()to populate the e-mail template, which becomes the HTML message sent to the user who is requesting the change for a forgotten password It works as follows:
1 It creates a User object, $userObj, and uses getUserIDByName()to retrieve the user’s ID.
2 It returns FALSEif the user ID is not found.
Otherwise, it uses getCheckSum()to generate a checksum for the cur-rent user ID.
3 It incorporates the checksum value in a URL along with the user ID and
step value set to 3.
4 It embeds the forgotten password application URL into the HTML
tem-plate by replacing the PASSWORD_URLtag with the URL value.
5 It returns TRUEstatus.
The following are other methods implemented in this application.
Method Description
run() Calls the resetPasswordDriver(), which is responsible
for managing the entire forgotten-password process. sendEmail() Sends an e-mail link to the user, which she can use to return
to the forgotten password application to enter a new password The e-mail message is read as an HTML template, which is processed by the showScreen()method The showScreen()method calls the email()method to create the actual message, which sendEmail()method sends to the user.
getCheckSum() Creates a checksum value using the user ID and a secret
random number loaded from the configuration file The checksum number is used to protect the e-mailed link from being generated by an unfriendly user.
Trang 4Method Description
checkPassword() Checks the user-entered password for length and
confirmation tests.
get_username() Called by showScreen()method when displaying the user
name entry interface as the first step in resetting the forgotten password.
reset_pwd() Called by showScreen()method when displaying the
password entry interface as the third step in resetting the forgotten password.
authorize() Because anyone can request to change her password, the
authorization method always returns TRUE.
Listing 6-7 shows the code for the forgotten-password recovery application.
Listing 6-7: usermngr_forgotten_pwd.php
<?php
// Turn on all error reporting error_reporting(E_ALL);
// If you have installed framewirk directory in // a different directory than
// %DocumentRoot%/framework, change the setting below
$APP_FRAMEWORK_DIR=$_SERVER[‘DOCUMENT_ROOT’] ‘/framework’;
$PEAR =$_SERVER[‘DOCUMENT_ROOT’] ‘/pear’;
$PHPLIB =$_SERVER[‘DOCUMENT_ROOT’] ‘/phplib’;
// Insert the path in the PHP include_path so that PHP // looks for PEAR, PHPLIB and our application framework // classes in these directories
ini_set( ‘include_path’, ‘:’
$PEAR ‘:’
$PHPLIB ‘:’
$APP_FRAMEWORK_DIR ‘:’ ini_get(‘include_path’));
$AUTHENTICATION_URL = “/login/login.php”;
$LOGOUT_URL = “/logout/logout.php”;
Continued
Trang 5Listing 6-7 (Continued)
$APP_MENU = ‘/home/home.php’;
$APPLICATION_NAME = ‘USER_MNGR’;
$XMAILER_ID = ‘Example User Manager Version 1.0’;
$DEFAULT_LANGUAGE = ‘US’;
$DEFAULT_DOMAIN = ‘example.com’;
$ROOT_PATH = $_SERVER[‘DOCUMENT_ROOT’];
$REL_ROOT_PATH = ‘/user_mngr’;
$REL_APP_PATH = $REL_ROOT_PATH ‘/apps’;
$TEMPLATE_DIR = $ROOT_PATH $REL_APP_PATH ‘/templates’;
$CLASS_DIR = $ROOT_PATH $REL_APP_PATH ‘/class’;
$REL_TEMPLATE_DIR = $REL_APP_PATH ‘/templates/’;
require_once “user_mngr.errors”;
require_once “user_mngr.messages”;
require_once ‘DB.php’;
require_once $APP_FRAMEWORK_DIR ‘/’ ‘constants.php’;
require_once $APP_FRAMEWORK_DIR ‘/’ $APPLICATION_CLASS;
require_once $APP_FRAMEWORK_DIR ‘/’ $ERROR_HANDLER_CLASS; require_once $APP_FRAMEWORK_DIR ‘/’ $AUTHENTICATION_CLASS; require_once $APP_FRAMEWORK_DIR ‘/’ $DBI_CLASS;
require_once $APP_FRAMEWORK_DIR ‘/’ $USER_CLASS;
require_once $TEMPLATE_CLASS;
$MIN_USERNAME_SIZE= 3;
$MIN_PASSWORD_SIZE= 3;
$DUMMY_PASSWD = ‘1234567890’;
$ROOT_USER = ‘kabir@evoknow.com’;
$SECRET = 916489;
$CHAR_SET = ‘charset=iso-8859-1’;
// Application names
$USERMNGR_MNGR = ‘user_mngr.php’;
$USERMNGR_FORGOTTEN_APP = ‘user_mngr_forgotten_pwd.php’;
$USERMNGR_CHANGE_PWD_APP = ‘user_mngr_passwd.php’;
/* -START TABLE NAMES - */
$APP_DB_URL = ‘mysql://root:foobar@localhost/auth’;