我很想知道:一旦通过电子邮件发送了pw_reset令牌,是否可以获取推荐人帐户的电子邮件地址进行验证,或者最好是针对IP进行验证?我已将令牌设置为1小时,甚至动态IP也不会以该速率更改,对吧?
我正在玩的一些代码(非常多的WIP),对改进/建议/批评持开放态度。
提前致谢。
/**
* Reset Password Form
*
* $route['auth/reset-password'] = 'reset_password_form';
*
*/
public function reset_password_form()
{
$this->load->view('templates/public', array(
'content' => 'auth/reset_password_form',
'title' => 'Password reset',
'description' => '',
'canonical' => 'auth'
));
}
/**
* Reset Password Authentication
*
* $route['auth/reset_password/validate'] = 'auth/reset_password';
*
*/
public function reset_password()
{
//setup validation rules
$config = array(
array('field'=>'email_address', 'label' =>'Email address', 'rules'=>'trim|required|max_lenght[128]|valid_email|valid_user_email')
);
$this->form_validation->CI =& $this;
$this->form_validation->set_rules($config);
//run validator and confirm OR
if($this->form_validation->run($this))
{
//create the token data
$tokenhash = Auth::create_token();
$password_token = json_encode(array(
'token' => $tokenhash,
'expires' => date('h:i:s A', strtotime($this->config->item('pw_token_expires'))), // default 1 hours
'ip_address' => $this->input->ip_address()
)); // output {"token":"3513f5ee34ED3","expires":"01:14:06 AM","ip_address":"127.0.0.1"}
//grab a userid to use via php-activerecord custom USER model
$user = User::get_by_email_address($this->input->post('email_address'));
//update the user pw_token field
try{
if($user->update_attribute('pw_token', $password_token))
{
throw new \ActiveRecord\ActiveRecordException($user->errors);
}
}catch(\ActiveRecord\ActiveRecordException $e){
log_message('error', $e->getMessage());
}
//setup email data
//TODO : move this to USER activeRecord\Model (pre_)
$email_data = array(
'email_to' => $user->email_address,
'token' => anchor(site_url('auth/reset_password/confirm/'.$tokenhash.'/'.$user->id.''), 'click here to reset your password'),
'site_link' => anchor(site_url(), site_url())
);
try{
if(Mail::send($email_data, 'reset_password.tpl.html'))
{
throw new Exception(Mail::errors());
}
}catch(Exception $e){
log_message('error', $e->getMessage());
}
}
else
{
$this->reset_password_form();
}
}
/**
* Reset Password Confirmation
*
* $route['auth/reset_password/confirm/(:any)/(:num)'] = 'auth/confirm_password_reset';
*/
public function confirm_password_reset($token='', $userid='')
{
//check for null values
if(!$token || !$id)
{
redirect('/');
}
//ugly
$attempts = $this->session->set_userdata('reset_pw_attempt', (int)0);
$this->session->set_userdata('reset_pw_attempts', $attempts++);
if(!$this->user->id != $userid && $this->session->userdata('logged_in') === (int)0)
{
//not great but cant validate the email, so we check to see if they have a logged in session.
//this is not a "forgot_password request" so we should be good as long as they are logged in
show_404();
}
else
{
//looking good so far, now lets see do they have the correct permissions
if(in_array(PERM_UPDATE, Auth::permissions($this->user->permissions)))
{
if($attempts == (int)3)
{
$this->session->set_flashdata('', $this->lang->line('pw_reset_attempt_over'));
redirect('/');
}
else
{
$tokn[] = json_decode($this->user->pw_token);
if(date('h:i:s A', time()) > $tokn['expires'] && $token===$tokn['token'])
{
$this->load->view('do-pw_reset_form');
}
}
}
else
{
$this->session->set_flashdata('info', $this->lang->line('update_permission_denied'));
redirect('/');
}
}
}
答案 0 :(得分:1)
您为什么要查看推荐人?使用closed loop verification是确认用户电子邮件地址的标准做法。您无需检查IP或引荐来源,您只需创建自定义哈希并跟踪电子邮件地址,然后将包含此信息的电子邮件发送给用户。
当用户点击嵌入式链接时,您确认您创建的哈希,如果哈希排队,则用户已确认其系统中的电子邮件帐户。
//Example Link
https://mydomain.com/verify?hash=<some_hash>
为了增加安全性,您还可以跟踪系统发送电子邮件的时间,并在24小时后使哈希无效。因此,如果用户在25小时后点击,则告知他们哈希无效并询问是否要发送其他电子邮件,如果是,请重复上述过程。
答案 1 :(得分:1)
通过查询字符串参数检查电子邮件地址或利用IP限制都是完全多余的。如果密码令牌是随机的并且足够长,则不可能强制它,特别是当与令牌到期和令牌猜测的速率限制相结合时。
IP地址限制也可能是一个可用性问题。例如,用户可能在离开工作之前请求密码重置,然后在家中或在通勤回家期间完成重置过程 - 也就是说,用户的IP地址在重置请求和重置确认之间改变。
答案 2 :(得分:0)
没有理由检查推荐人,如果客户的计算机受到损害,你无法做任何事情来避免劫持。您可以做的是注意CSRF漏洞。
此外,在阅读之后,它看起来确实检查了'ip_address'=&gt; $这 - &GT;输入 - &GT; IP-地址()