I have this forgot passowrd form where it checks for a username, if it’s valid sends a temp password to his email.
It works fine,but what I need is after I submit the username , I need the page to display another form where it displays a form with the security question, if it’s valid then create the temp password and email it.
here is my code so far, I dont know where to add the new form and where to validate it exactly.
HTML::cgi_read
###############################################################
# READ / VERIFY CGI VARIABLES
###############################################################
SET_GLOBAL_VARS
if { [catch {set REMOTE_ADDR $CGI_DATA(REMOTE_ADDR) } e] } { set REMOTE_ADDR "" }
if { [catch {set HTTP_USER_AGENT $CGI_DATA(HTTP_USER_AGENT) } e] } { set HTTP_USER_AGENT "" }
if { [catch {set COOKIE $CGI_DATA(HTTP_COOKIE) } e] } { set COOKIE "" }
if { [catch {set MSG $CGI_DATA(msg) } e] } { set MSG "" }
if { [catch {set USERNAME $CGI_DATA(username) } e] } { set USERNAME "" }
if { [catch {set SECQUESTION $CGI_DATA(secquestion) } e] } { set SECQUESTION "" }
if { [catch {set SECANSWER $CGI_DATA(secanswer) } e] } { set SECANSWER "" }
###############################################################
# ONLY ALLOW HTML START TO HAPPEN ONCE!
# Remember: Redirects don't have HTML Start
# Meta Tags have to have it beforehand
# Cannot do both a redirect and a meta tag
###############################################################
set HTMLSTARTFLAG 0
proc HTML_START { } {
global HTMLSTARTFLAG
if {$HTMLSTARTFLAG < 1} {
HTML::Start
set HTMLSTARTFLAG 1
}
}
###############################################################
# START OF SCRIPT
###############################################################
if {$USERNAME != ""} {
################################
# Do the hit for the entered user
################################
set queryresult1 [InfxGetLogin $USERNAME]
#any errors go back and show the blank login page
if { [regexp -nocase "error" [lindex [split $queryresult1 ,] 0] ] } {
set junk [InfxInsertLoginHistory $USERNAME "ForgotPassword" "$REMOTE_ADDR|$HTTP_USER_AGENT" "Error"]
Redirect_Login "DB Error, Please try again."
exit
}
set login [lindex [lindex $queryresult1 0] 0]
set locked [lindex [lindex $queryresult1 0] 4]
set dbquestion [lindex [lindex $queryresult1 0] 5]
set dbanswer [lindex [lindex $queryresult1 0] 6]
set emailTo [lindex [lindex $queryresult1 0] 7]
set userId [lindex [lindex $queryresult1 0] 8]
################################
# Validate user info
################################
if {$login == ""} {
set junk [InfxInsertLoginHistory $USERNAME "ForgotPassword" "$REMOTE_ADDR|$HTTP_USER_AGENT" "DoesNotExist"]
Redirect_LoginForgotPass "Login Does Not Exist"
exit
}
#locked people shouldn't get here, but if they do, they entered the page directly, send them away
if {$locked == "t"} {
set junk [InfxInsertLoginHistory $login "ForgotPassword" "$REMOTE_ADDR|$HTTP_USER_AGENT" "AcctLocked"]
Redirect_LoginForgotPass "Account is Locked"
exit
}
################################
# Create temporary password
# Base64 encoding an rc4 encrypted text, then removing all special characters
# and taking the 1st 6 characters.
################################
set pass [::base64::encode [rc4::rc4 -key [clock scan "now"] "randomizeme"]]
regsub -all {[^a-zA-Z0-9]} $pass "" pass
set pass [string range $pass 0 5]
################################
# Update DB w/ temporary password
################################
set result [InfxResetUserPassword $userId $pass]
if { $result != "ok" } {
set junk [InfxInsertLoginHistory $login "ForgotPassword" "$REMOTE_ADDR|$HTTP_USER_AGENT" "Error"]
Redirect_LoginForgotPass "DB Error, Please try again."
exit
}
set result "ERROR"
set result [HTML::mail "test@test.com $emailTo" "$emailFrom" "$emailSubj" "$emailMsg"]
################################
# Go back to login screen on success
################################
if { $result == "0" } {
Redirect_Login "Password Changed and Email Sent"
exit
} else {
set junk [InfxInsertLoginHistory $login "ForgotPassword" "$REMOTE_ADDR|$HTTP_USER_AGENT" "EmailError"]
Redirect_LoginForgotPass "Error Sending Email"
exit
}
} else {
################################
# Initial display of username form
################################
HTML_START
puts {
<head>
<link rel="stylesheet" type="text/css" href="css/login.css" type="text/css">
<script type="text/javascript" src="js/login.js"></script>
<title> Services</title>
</head>
<body>
<br><br>
<img src="images/.gif" />
<br><br><br>
<div id="login">
<form onsubmit="return validate_login_username(this)" action="login_forgotpw.cgi" method="post">
<table cellpadding="0" cellspacing="0">
<tr>
<th colspan="2"> Password Reset</th>
</tr>
<tr>
<td><label>Username:</label></td>
<td><input name="username"></input></td>
</tr>
<tr>
<td></td>
<td><input type="submit" value="Submit"></input></td>
</tr>
</table>
</form>
</div>
}
puts " <h3 class=\"errormessage\">$MSG</h3>"
exit
}
This is the form ,i would like to add and validate ,preferebly in the same page.
puts "<form action='login_forgotpw.cgi' method='post'>"
puts "<td><label><b>Security Question : </b></td><td>$dbquestion ?</label></td></tr>"
puts "<tr>"
puts "<td><label><b>Answer:</b></td><td><input type='text' name='secanswer'></input></td>"
puts "<td><input type='submit' value='Submit'></input></td>"
Generally speaking, if you are doing a multi-stage form then you pass data from earlier steps forward via one of two mechanisms:
<input type="hidden">) in the form you send to users for handling later steps.Both methods are quite suitable for you, provided you have a secure communications channel when you deploy (setting up HTTPS in your environment is totally out of scope for this discussion). I can’t tell you how to decide which sort of form to use from your logic; it depends on constraints that you know and I don’t. I can say that between the two implementation techniques above, the advantage of #1 is that it keeps overall messages smaller, and the advantage of #2 is that it means less state management for you (since all state is kept client-side until you’re ready to process a fully-specified password change) and there’s no problem with someone guessing session keys; being somewhat security-minded myself, I’d favor using hidden fields.
When generating the form, do so in several steps:
Or consider using the html package in Tcllib for doing templating. This is discussed more on the Tcler’s Wiki.