TECH6.0

Forgotten Password


Level: Beginner
Requirements: DreamweaverMX, Access2000
Language: ASP VBScript


Introduction


This tutorial will run you through the simple process of setting up a page that a user can use if they have forgotten their password. To send the password to the user, the user will have to enter their username, if correct the page will email the users password to their registered email address.

The email component used for this tutorial is Jmail, however, the tutorial has been written to allow you to easily use any component that your server might offer. Further reading of this tutorial shows how to use other components for this tutorial:


Step 1: Creating the table.


We will use one simple table for this tutorial.


tblUsers
- UserID (Primary Key, Autonumber)
- Username (Text)
- Password (Text)
- Email (Text)


As usual, it would be best to fill up this table with some relevant information, so enter some user details into it and we will be ready to go.


Step 2: Creating the page.


Now we have the table, create a new page called forgot.asp, on it, create a form, in that form a bit of text something like "Enter your password", beside the create a text field and name it "username", beside that create a button and finally a hidden field called "process" with the initial value of "true".






That is pretty much it for details on the page. Next we want to grab the information entered by the user and action it.


Step 3: Processing the form.


Create a recordset called rsUser as shown in the image below.






That will, as usual, create a nice new chunk of code in your code editor. So scroll up to that and have a look. Nice eh? Below that recordset code open a new code bracket and enter the code below.


A quick run down of the code above tells us that first, the code checks to see if the form has been processed by looking for the value true in the form field process. If that is true, it then checks the recordset for a valid record based on the criteria we used to create the recordset. If a record is present in the recordset, that means the user has entered a username that has been matched in the user table, meaning we can then send the email to the user whose record is now live within the recordset. Phew, bit of a mouthful eh?
So from there we then need to send the actual email off to the user with the relevant details. You will notice a Call statement in there, this will call the subroutine that will are going to create to send the email to the user. This subroutine requires to pieces of information, the email address to send the mail to and the password, which is used within the body of the email.
So, as I said at the beginning I am using Jmail for this example, so below the final End If in the above code, continue with this code...


As you will once again see the subroutine requires two parameters, vEmail and vPassword, these are the only two things that will change in the actual action of the email. Look down a bit through that code and you will see where we implement the two parameters within the code.
Basically, to use this routine with another email component, it is simply a point of removing all the code between the opening and closing of the sub, eg.


...and entering in the code for another email component replacing the EMAIL TO requirement to the vEmail parameter and the body of the email with the subject text above.
As an example, here is the code you would use if you required the CDONTS script.


Applying this technique to any other email component script should result in success.
Finally, just run the script and check it out. It will send a short but sweet email to the user with their password.

__________________

Thanks I used this.

__________________
My iPhone is better than yours...........

I Am Back!

There's one thing I'd like to recommend if you're actually using this !!

Its simply pulling off the password string in simple text format and emailing it to the corresponding email address in the table. So, this would only work if you are NOT encrypting passwords in the database... which is NOT a good practice now.

I think it would be a bit more of homework but for sure 100 times better for you and for your users if you start encrypting your passwords in the database.

In this case, to complete the forgot password request:-

1. Do not forget to store encrypted passwords at registration.
2. When somebody requests for forgot pass., do nothing instead send him an email to click on the confirmation link.
3. The link in the email when followed, should generate a random password (storing it encrypted) and sent in en email.

This is the best way to do it and you'll find the same process in almost every site. I have implemented the whole process on my website. Earlier I used the same above process as my site was in ASP (unencrypted) but is in PHP now (encrypted). I'll soon put a complete tutorial to do so in total PHP. You would love it.

__________________

mate....r u switching to PHP ?.....

About encrypt password i came to see one article may be helpful ..

http://www.webcheatsheet.com/ASP/md5..._passwords.php

have a look...


regards

spec_tray

__________________
" There are no failures - just experiences and your reactions to them.

New members Please read before u post
General Tech6 Rules !!!

CSS Validator | Markup Validator | RSS Validator

Have already switched over to PHP Spec_tray.. and I'm loving it !! This site is currently hosted on Windows server just because I had another website written in ASP and wanted both to reside on 1 server, but few days back I finished off with converting it to PHP as well. Will soon be moving to linux now.

okayy... I went through the article..
by the way, I read somewhere that MD5 cryptographic hash function is not secure anymore coz its algorithm has already been ****ked. Even SHA1() isn't left secure.

I am using strong SHA256 algorithm for encrypting passwords in my DB which is considered highly secure.

Check out this implementation of SHA256 in PHP. I am using the same and works perfect.

__________________

Waaaow......

Thats super Wwzy..(SHA256 in PHP),Now i know why u love php
I m also thinking abt that:wink:

I came to know about another method i.e RC4 Encryption Using ASP & VBScript Is it secure ?

Regards

Spec_tray

__________________
" There are no failures - just experiences and your reactions to them.

New members Please read before u post
General Tech6 Rules !!!

CSS Validator | Markup Validator | RSS Validator

Can't comment much on it as I have never used it myself.
Here's a script for testing RC4 encryption in ASP with the source code as well.

and this is what Wikipedia states about this algorithm:-

__________________

Thanks for this information and that link mate, will make more research on that...

and

happy coding

__________________
" There are no failures - just experiences and your reactions to them.

New members Please read before u post
General Tech6 Rules !!!

CSS Validator | Markup Validator | RSS Validator

Very very nice tutorial, this is very good for beginners, haha, like me! I will enjoy using this, that is, If I get my Login and Registration working, lol! I will have to save a link of this when I get to this.

Also, very good guide, it has a good amount of content, and I hope you make more for beginner levels! ( Wich is me, lol! ) And if you decided to make a new guide, please make a Login and Registration system.

A complete Registration system tutorial already exists. Check out the Stickied threads in PHP/MySQL Forum.

__________________

Huh, I didn't see that forum, I'll check it out.