I have a basic authentication process that uses Zend_Auth_Adapter_DbTable. I have login and logout actions on my Authentication Controller. Now I want to create a function to reset forgotten passwords by automatically generating a password, saving the new password, and sending them an email with the newly generated password.
What would be the best process to go about doing this? How should I generate a new password? Does the Zend Framework have anything that would make this easier?
I have also heard about sending an email with a link to a short term page that lets them set a new password. How might this be done with the Zend Framework?
Zend Framework does not have a password-generating class. Here’s an article on how to use the PEAR module
Text_Passwordto generate a password: https://web.archive.org/web/1/http://blogs.techrepublic%2ecom%2ecom/howdoi/?p=118However, it’s not a good security practice to send the password in a plain email. Instead, you should reset their account so they can temporarily log in without giving a password (given an expiring URL you send them in the email), and once they log in, require them to update their own password to something they know. Then store the salted hash of their password.
Here’s some suggestion off the top of my head for doing this in Zend Framework:
AccountResetwith fields:reset_id(GUID primary key),account_id(reference toAccounts.account_id), andexpiration(timestamp).AccountController::resetAction(), i.e. in the same controller you use for creating accounts, logging in, changing passwords, etc.AccountResettable with a new GUID, a reference to the user’s account, and anexpiration30 minutes or so in the future.<GUID>‘ (if you’re clever with routing rules, you can shorten that URL, but keep the GUID in it).AccountController::resetAction()receives the request, it looks up itsreset_idparam in theAccountResettable. If that GUID exists and theexpirationtime has not passed, present the user with a form to change his password (without requiring he is authenticated and logged in).resetAction()receives a request with no GUID, or the GUID doesn’t exist in the database, or that row has passed itsexpiration, then this action may instead present the user with a button to initiate a new reset request, and send an email with a new GUID. Remember to make this button a POST request!Because the GUID is communicated only in email to the address for that user, no one else can gain access to change the password. Even if the user’s email gets intercepted, there’s only a limited time the GUID would grant that access.
If you want to be even more cautious, you could make note of the client IP address in the
AccountResettable, and require the password be changed from a client with the same IP address, within that 30 minute window.This is only off-the-cuff, and I haven’t implemented it or evaluated it for proper security. If you are responsible for implementing security, it’s your duty to read up on security issues. A well-regarded resource for PHP security is http://phpsecurity.org/.