2

I'm wondering if it's possible to have a user click on a 'forgot password' link that will email them their password which has been set in localStorage.

I know how to set and get in localStorage, i just need to know how to email what I get to the user, who has entered his email into a form field.

Your thoughts are much appreciated. Thanks!

THE AMAZING
  • 1,496
  • 2
  • 16
  • 38
user3472810
  • 435
  • 1
  • 5
  • 13
  • it is too risky because localStorage is not secure enough to hold sensitive infos :( – Daniel Cheung Aug 28 '15 at 13:34
  • Trust me when I tell you I'm totally aware of that. The credentials in this particular case are the same for all users and the only reason we are using a login is to give the users the 'sense' that they are exclusive. It's really just for show. In fact the credentials are currently right in the JavaScript, and everybody knows it, but they still want to employ it, rather than just not use a login. I'm basically going through this exercise to get practice using JS. :) Oh, and thank you for your answer! – user3472810 Aug 28 '15 at 13:43
  • If it's a practice, it's fine, but emailing needs server-sided code. Else, think of a scenario of public computers. – Daniel Cheung Aug 28 '15 at 13:46
  • I totally agree, Daniel. Thanks! – user3472810 Aug 28 '15 at 13:49
  • Although you can save info upon logging in, then ajax post localStorage to the server to setup an email and etc. I'm not going to answer because I feel that will **mislead** others. – Daniel Cheung Aug 28 '15 at 13:51
  • Totally fair. Thanks for your feedback, anyway. – user3472810 Aug 28 '15 at 13:55

2 Answers2

0

You are never supposed to send passwords, even to the email the user has on file. It should always be a reset password link redirect that you send. Also, localStorage isn't the proper place for information of that sort. You are going to want to implement a database to achieve the information protection you're looking for.

SidTheBeard
  • 379
  • 3
  • 11
  • Thank you very much for this information. It's very helpful to know the correct way to do this. – user3472810 Aug 28 '15 at 13:48
  • No problem, are you familiar with the implementation of a database? – SidTheBeard Aug 28 '15 at 13:51
  • I'm not yet, but I'm learning it. For this particular case, I just want to get what's in localStorage and send it to the value of the email field using JS, really to just practice JS. – user3472810 Aug 28 '15 at 13:55
  • @RichardGrant why are you commenting on my answer? I understand what you are saying but I didn't ask for that info. I was simply informing somebody, who may not have previously known, about proper password practices. – SidTheBeard Aug 28 '15 at 14:47
  • No sorry posted under the wrong post. I agree with your answer 100% – THE AMAZING Aug 28 '15 at 14:49
  • No problem, just always curious to hear all sides of an argument. @RichardGrant – SidTheBeard Aug 28 '15 at 14:52
0

Localstorage works a lot like cookies. (but they are not the same)

Don't get me wrong localstorage was a phenominal update for modern browsers. Now, developers can easily load massive applications without having to store chunks in files on the server! It is advised not to store secure information such as a users password in the localstorage.

Instead generate a random MD5 hash key set up as an authorizing key for a script. Have a script in PHP set up to return a password for an account associated with the authorizing key & username. Remember to reset the key after to authorization is made.

Database:

|   ID    |  Username |  Password  |         Email           |                 Key                  |
|    1    |    John   |   secret   |      john@gmail.com     |    0cc175b9c0f1b6a831c399e269772661  |

For your PHP i would recommend you look into PHP::PDO http://php.net/manual/en/book.pdo.php

PHP: (forgot_password.php)

<?PHP

    if(isset($_GET['key']) && isset($_GET['username'])){
        $connect = new PDO('mysql:host=localhost;dbname=' . /* DB NAME */,/*DB USERNAME*/, /* DB PASSWORD */);

        $user = getall($connect, /* TABLE NAME */, 
            array(
                'PASSWORD'
            ),
            array(
                'key'=>$_GET['key'],
                'username', $_GET['username']
            ), 1,
            array(
                'ASC'=>'ID'
            );
        );
        print_r($user); // i will print so you can figure out how to use this for your needs
        $connect = null; //close connection
    }

function getall($connect, $table, $values, $conditions = null, $limit = null, $ascdesc = null){
    $values_str = "";
    foreach($values as $key => $value){
        $values_str .= $value . ", ";
    }
    $cond_str = "";
    $hascond = false;
    if($conditions != null){
        $hascond = true;
        foreach($conditions as $key => $value){
            $cond_str .= $key . "='" . $value . "' AND ";
        }
        $cond_str = rtrim($cond_str, " AND ");
    }
    $values_str = rtrim($values_str, ", ");
    $cond_str = " WHERE (" . $cond_str . ")";
    $orderby = "";
    $hasorder = false;
    if($ascdesc != null){
        $hasorder = true;
        foreach($ascdesc as $key => $value){
            $orderby = " ORDER BY " . $value . " " . $key;
            break;
        }
    }
    $sql = "SELECT " . $values_str . " FROM " . $table . " " . (($hascond)? $cond_str: "") . (($hasorder)? $orderby: "") . (($limit)? " LIMIT " . $limit: "");
    //echo $sql;
    $sql_prep = $connect->prepare($sql);
    $sql_prep->execute();
    return $result = $sql_prep->fetchAll(PDO::FETCH_ASSOC);
}
?>

When a user clicks the forgot password have them type in their username and email a link to the email on file with the associated user:

http://www.example.com/forgot_password.php?username=John&key=0cc175b9c0f1b6a831c399e269772661

Side note It is Highly insecure to store passwords without hashing (many call this encryption but hashing and Encryption are entirely different) I suggest you store your passwords using password_hash read more at: http://php.net/manual/en/function.password-hash.php

I advise making the user change their password once they are authorized on the forgot_password.php script.

Your question asked how to send an email. In order to send emails from your server you need to make sure your apache settings are configured correctly. Here is a post on stackoverflow that addresses this locally: send mail from local apache server

Once your configuration is set up correctly you can run this php function:

function send_email($subject, $msg, $to, $from){
    $from - strip_tags($from);
    $to = strip_tags($to);

    $message = $msg;

    $headers = "From: " . $from . "\r\n";
    $headers .= "Reply-To: ". $from . "\r\n";
    $headers .= "X-Confirm-Reading-To:" . $from . "\r\n";
    $headers .= "Mailed-By:" . $from . "\r\n";
    $headers .= "Disposition-Notification-To:" . $from . "\r\n";
    $headers .= "Return-Receipt-To:" . $from . "\r\n";
    $headers .= "MIME-Version: 1.0\r\n";
    $headers .= "Content-Type: text/html; charset=ISO-8859-1\r\n";
    if(mail( $to, $subject, $message, $headers ))
        return true;
    return false
}

I also want to add that if you are hoping to save a users login information this is done over the server and not on the client side. Append your form with a remember me check box. Have your PHP check if the text box is checked, if it is then store the users ID in a database table for remembered users. You should also make PHP store at least 5 random unique hashes into a cookies, to server as a key for accessing the remembered information. Have our website check to see if the cookies exist & if they do match them up with your database table & pull the user id.

Community
  • 1
  • 1
THE AMAZING
  • 1,496
  • 2
  • 16
  • 38