J2Ee Hosting, Sun Java Developing, Domain Name Hosting Blog

838Part VCase StudiesListing 44-6(continued) update ); // Send the email$to = $_POST[ email ]; $from = forgot@example.com ; $subject = New password ; $msg = <<< EOMSGYou recently requested that we send you a new password for Example.com. Your new password is: $passwordPlease log in at this URL: http://localhost/login.htmlThen go to this address to change your password: http://localhost/changepass.phpEOMSG; $mailsend = mail( $to , $subject , $msg , From: $fromrnReply-To:webmaster@example.com ); // Redirect to loginheader( Location: login.html ); } else { // The email address isn t good, they lose. } } // ----------------------- // Display the form nicely// ----------------------- // Superglobal arrays don t work in heredoc$php_self = $_SERVER[ PHP_SELF ]; $form_str = <<< EOFORMSTR
Looking for affordable and reliable webhost to host and run your business application? Then look no more and go to servlet web hosting services.

837Chapter 44User AuthenticationListing 44-6 is called forgot.php. It shows a form, generates a random new password, andsends it to the user s recorded e-mail address. Listing 44-6:Form to handle forgotten passwords (forgot.php) We highly recommend you visit web and email hosting services if you need stable and cheap web hosting platform for your web applications.

836Part VCase StudiesFigure 44-2:Login pageUser ToolsRegistration and login are the core of your user management system, but you also need toolsfor various common situations, such as forgotten passwords, changing a password, or chang- ing less-sensitive user information. Forgotten passwordThe most common way to deal with a forgotten password is to simply mail it to the e-mailaddress you have on file for a particular user. Many sites a lot larger than yours do this. Casesof stealing passwords this way may have been reported, but it s not a rampant problem especially if people do the smart thing, which is to immediately change the password as soonas they can log on. There are more elaborate ways to deal with forgotten passwords. One of us, for example, once worked on a system where an e-mail was sent containing a link that allowed the user tovisit a special page which existed once and only once which allowed the user to change hisor her password without actually logging in. It was a somewhat neurotic solution to the problem, but it worked. We believe the best compromise is simply to mail a new computer-generated random pass- word. This will be fairly secure and yet so difficult to remember that hopefully the user willbe more motivated to immediately change his or her password to something more comfy. You can also repurpose the password-generation part of this code if you plan to generatepasswords during the registration process instead of letting the user choose the password, aswe do in the Registration section earlier in this chapter.
You need excellent and relaible webhost company to host your web applications? Then pay a visit to Inexpensive Web Hosting services.

835Chapter 44User Authentication$php_self = $_SERVER[ PHP_SELF ]; $login_form = <<< EOLOGINFORM

	$feedback_str LOGIN Username Password

EOLOGINFORM; echo $login_form; site_footer(); ?> Figure 44-2 shows the login page in the midst of an error. Mozilla is far and away the best browser to develop on if you re working with the login func- tions of a site because it has the Cookie Manager feature (in the Tools menu, or Tools. Options.Privacy.Cookies in Mozilla Firebird). Mozilla enables you to see all your cookiesin a nice alphabetized list and to delete or block cookies individually. The only thing to watchout for is that cookies may be classified under example.com, servername.example.com, or www.example.comdepending on precisely how they were set. Logging out is very simple you just unset the cookies. Actually, if you are logged in and visitthe login.phppage, it happens automatically so you can use login.phpfor both loggingin and logging out. Tip50
Note: In case you are looking for affordable and reliable webhost to host and run your j2ee application check Vision J2ee Web Hosting services.

834Part VCase StudiesListing 44-5 is called login.php. It shows a form and calls the login()function. On success, it redirects to the home page. Listing 44-5:Login form (login.php) $feedback

; } } else { $feedback_str = ; } // —————- // DISPLAY THE FORM// —————- include_once( includes/header_footer.php ); site_header( Login ); // Superglobals don t work with heredoc50
We recommend cheap and reliable webhost to host and run your web applications: Coldfusion Web Hosting services.

833Chapter 44User Authentication} else { $user_name = strtolower($_POST[ user_name ]); // Don t need to trim because extra spaces should fail // for this// Don t need to addslashes because single quotes // aren t allowed$password = strtolower($_POST[ password ]); // Don t need to addslashes because we ll be hashing it$crypt_pwd = md5($password); $query = SELECT user_name, is_confirmedFROM userWHERE user_name = $user_name AND password= $crypt_pwd ; $result = mysql_query($query); if (!$result || mysql_num_rows($result) < 1){ $feedback = ERROR--User not found or password . incorrect ; return $feedback; } else { if (mysql_result($result, 0, is_confirmed ) == 1 ) { user_set_tokens($user_name); return 1; } else { $feedback = ERROR--You may not have confirmed . your account yet ; return $feedback; } } } } function user_logout() { setcookie( user_name , , (time()+2592000), / , , 0); setcookie( id_hash , , (time()+2592000), / , , 0); } function user_set_tokens($user_name_in) { global $supersecret_hash_padding; if (!$user_name_in) { $feedback = ERROR--No username ; return false; } $user_name = strtolower($user_name_in); $id_hash = md5($user_name.$supersecret_hash_padding); setcookie( user_name , $user_name, (time()+2592000), / , ,0); setcookie( id_hash , $id_hash, (time()+2592000), / , , 0); } ?>
Check Tomcat Web Hosting services for best quality webspace to host your web application.

832Part VCase StudiesListing 44-4 is called login_funcs.inc. It contains all login-related and logout-related func- tions, which will be called from other PHP pages. Listing 44-4:Login and logout functions (login_funcs.inc) In case you need affordable webhost to host your website, our recommendation is ecommerce web host services.

831Chapter 44User Authentication$feedback_str$noconfirm$confirm EOPAGE; echo $page; site_footer(); ?> Login/LogoutIf your registration process is well designed in the first place, it can help your login processbe more effective. So, for example, if you strictly enforce e-mail and username uniquenessduring registration, in theory, you do not need to check for those things during login. Youmay still want to as a belt-and-braces kind of thing, but it all depends on how much you trustyour registration. In the case of the registration system in the preceding section, our methodof using a one-way hashing function to encrypt passwords and e-mails can also be adapted toenhance the reliability of cookies in an extremely scalable way. Here s the problem we re trying to solve: After a user logs in, we want to set a cookie thatuniquely identifies the user. Say we set a cookie that contains the user s username on oursite, which is generally not a very private piece of information in fact, it s a method of saving people from having to use their real names in public. A cookie, however, is just a textfile there s literally nothing stopping you from writing up a cookie file on your computerthat claims you are someone else. Sites deal with the cookie-verification problem in different ways, the most common of whichis checking your cookie data against a database on every page load. This is not a very scal- able solution, however, unless you have some kind of serious data-caching mechanism, because eventually the database becomes a bottleneck. The solution that we use is a little bit different. When users log in, we look them up in thedatabase by their usernames and passwords. If we find them in there, we set two cookies peruser: one with the username and one with the hashed product of the username and a super- secret string known only to us. Now on every page load, we check for the existence of thesecookies but also we see if they match and if they were set by us, by hashing the value ofthe username cookie with the super secret string and then comparing it to the hash cookie. All this is done on the Web server at relatively little cost in time or cycles, rather than neces- sitating the opening of a connection to the database. Again, we must trust that the secretstring is not compromised but in the worst-case scenario, we could change this string andmerely cause everyone to be logged out suddenly. After we confirm that the cookies do, in fact, match, we can optionally go even further by set- ting a global logged-in flag. This isn t the most secure method possible, but it s extremely fast. You may consider using a logged-in flag for reads and reserving every-page cookie-verificationfor tools such as adding content or changing passwords. You could do this by splitting theuser_isloggedin()function in Listing 44-4 into two functions: one to detect the flag andone to match up the cookies.
Searching for affordable and proven webhost to host and run your servlet applications? Go to Linux Web Hosting services and you will find it.

830Part VCase StudiesAfter the user registers, he or she gets a confirmation e-mail with a link to click. This link con- tains a confirmation hash and the e-mail address that the mail was sent to. The user can t login to the site until he or she gets this e-mail and we check it against the hash that we set. Herewe are trusting that our padding string remains secret. If someone learned it, he or she couldspoof any e-mail address quite easily but until we have reason to believe our system secu- rity has been broken, this can be considered good-enoughproof that the hash was indeed setby us. None of this will necessarily stop a determined attack by a knowledgeable cracker, butit will greatly reduce the number of people who try to give patently false e-mail addresses inregistration forms. After the user clicks through the link, he or she will see the following page, confirm.php(Listing 44-3). Listing 44-3:New-user confirmation page (confirm.php) ERROR–Bad link

; } if ($worked != 1) { $noconfirm =

Something went wrong. . Send email to admin@example.com for help. If you . through to this page directly, please go to login.php . instead.

; } else { $confirm =

You are now confirmed. Log in to start browsing the . site.

; } $page = <<< EOPAGE

We recommend cheap and reliable webhost to host and run your web applications: Coldfusion Web Hosting services. Posted in Domain | No Comments » 829Chapter 44User Authentication Password (again) Email (required (Photography web hosting) for Saturday, February 9th, 2008 829Chapter 44User Authentication Password (again) Email (required for confirmation)

EOREGSTR; echo $reg_str; site_footer(); ?> The registration form looks similar to Figure 44-1. Figure 44-1:User registration form50
We would like to recommend you tested and proved virtual web hosting services, which you will surely find to be of great quality.