Follow us on Twitter X-Cart on Facebook Wiki
Shopping cart software Solutions for online shops and malls

Better Password Recovery

 
Reply
   X-Cart forums > X-Cart 4 > Dev Questions
 
Thread Tools Search this Thread
  #1  
Old 03-06-2008, 01:54 AM
  mikeholliday's Avatar 
mikeholliday mikeholliday is offline
 

Newbie
  
Join Date: Oct 2006
Location: California
Posts: 7
 

Default Better Password Recovery

By default X-Cart sends the user's password in clear text via email when they try to recover their password. This is stupid and easily fixed with a few lines of code. This mod will set the user's password to a random string, email them that string, and force them to reset their password on next login. Yeah, I know a password is still sent in plain text, but at least it is not their actual password they were using and are probably going to set it back to.

Here are the changes you need to make (4.1.9).

ADD this function to include/func/func.core.php

Code:
function createRandomPassword() { $chars = "abcdefghijkmnopqrstuvwxyz023456789"; srand((double)microtime()*1000000); $i = 0; $pass = '' ; while ($i <= 7) { $num = rand() % 33; $tmp = substr($chars, $num, 1); $pass = $pass . $tmp; $i++; } return $pass; }

This function is compliments of http://www.totallyphp.co.uk/code/create_a_random_password.htm, I was lazy...

CHANGE include/help.php
Code:
foreach ($accounts as $key => $account) { $accounts[$key]["password"] = text_decrypt($account["password"]); if (is_null($accounts[$key]["password"]) || $accounts[$key]["password"] === false) { $accounts[$key]["password"] = func_get_langvar_by_name("err_data_corrupted"); if (is_null($accounts[$key]["password"])) { x_log_flag("log_decrypt_errors", "DECRYPT", "Could not decrypt password for the user ".$account['login'], true); } } } $mail_smarty->assign("accounts",$accounts); func_send_mail($email, "mail/password_recover_subj.tpl", "mail/password_recover.tpl", $config["Company"]["support_department"], false); func_header_location("help.php?section=Password_Recovery_message&email=".urlencode($email)); }

TO:

Code:
foreach ($accounts as $key => $account) { $accounts[$key]["password"] = text_decrypt($account["password"]); if (is_null($accounts[$key]["password"]) || $accounts[$key]["password"] === false) { $accounts[$key]["password"] = func_get_langvar_by_name("err_data_corrupted"); if (is_null($accounts[$key]["password"])) { x_log_flag("log_decrypt_errors", "DECRYPT", "Could not decrypt password for the user ".$account['login'], true); } } $newpassword = createRandomPassword(); $newcrpyt = text_crypt($newpassword); $newpasswordarray['password'] = $newcrpyt; $newpasswordarray['change_password'] = 'Y'; func_array2update('customers', $newpasswordarray, "login='$account[login]' AND usertype='$account[usertype]'"); } $mail_smarty->assign("accounts",$accounts); $mail_smarty->assign("newpassword",$newpassword); func_send_mail($email, "mail/password_recover_subj.tpl", "mail/password_recover.tpl", $config["Company"]["support_department"], false); func_header_location("help.php?section=Password_Recovery_message&email=".urlencode($email)); }

Now you need to change your email templates. If you are using plain text email edit the template in skin1/mail/. If you are using HTML email edit the template in skin1/mail/html.

password_recover.tpl

Plain Text
FROM
Code:
{$lng.lbl_password|truncate:$max_truncate:"...":true|cat:":"|string_format:$max_space}{$accounts[acc_num].password}
TO
Code:
Your password has been reset. Your new password is now ($newpassword). Please change you password when you login.


HTML

FROM
Code:
<td><tt>{$lng.lbl_password}:</tt></td> <td>&nbsp;</td> <td><tt>{$accounts[acc_num].password}</tt></td>

TO
Code:
<td><tt>Your password has been reset.<br><br>Your new password is now {$newpassword}.<br><br>You will be required to change your password at next logon.</tt></td>

Make sure to check your colspan attrib in your TDs. I consolidated the 3 columns to 1.


Cheers & Happy Coding,
__________________
Vice President
GFL Systems, Inc.
Reply With Quote
  #2  
Old 03-08-2008, 07:00 AM
 
jeanne jeanne is offline
 

Advanced Member
  
Join Date: Aug 2004
Posts: 85
 

Default Re: Better Password Recovery

This didn't work for me. My test account has multiple login names with the same email, so I'm not sure if that was the issue.
The temporary password sent in the email did not allow me to login. I had to change it in admin.
__________________
Jeanne
4.1.8 Gold
Reply With Quote
  #3  
Old 07-02-2010, 06:01 AM
 
Tony Pearce Tony Pearce is offline
 

eXpert
  
Join Date: Apr 2004
Location: Totnes, Devon, UK
Posts: 217
 

Default Re: Better Password Recovery

works in version 4.1.12

Thanks very much for a great snippet...

Tony
__________________
X Cart version 4.1.9, 4.1.10, 4.1.11, 4.1.12
(Looking after 15 stores)
Just started 4.4.1 for client....
One Page Checkout, On-Sale, Dynamic Images ++++ Loads of others.
+ 2 Multi Domain stores on 4.1.9
Reply With Quote
Reply
   X-Cart forums > X-Cart 4 > Dev Questions


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

vB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Forum Jump


All times are GMT -8. The time now is 04:37 AM.

   

 
X-Cart forums © 2001-2020