492 Chapter 24 Building User Authentication and Personalization Listing 24.14 logout.php—This Script Ends a User Session <?php // include function files for this application require_once('bookmark_fns.php'); session_start(); $old_user = $HTTP_SESSION_VARS['valid_user']; // store to test if they *were* logged in unset($HTTP_SESSION_VARS); $result_dest = session_destroy(); // start output html do_html_header('Logging Out'); if (!empty($old_user)) { if ($result_dest) { // if they were logged in and are now logged out echo 'Logged out.<br />'; do_html_url('login.php', 'Login'); } else { // they were logged in and could not be logged out echo 'Could not log you out.<br />'; } } else { // if they weren't logged in but came to this page somehow echo 'You were not logged in, and so have not been logged out.<br />'; do_html_url('login.php', 'Login'); } do_html_footer(); ?> Again, you might find that this code looks familiar.That’s because it is based on the code we wrote in Chapter 20. Changing Passwords If a user follows the “Change Password” menu option, he will be presented with the form shown in Figure 24.7. 30 525x ch24 1/24/03 3:36 PM Page 492 493 Implementing User Authentication Figure 24.7 The change_passwd_form.php script supplies a form where users can change their passwords. This form is generated by the script change_passwd_form.php.This is a simple script that just uses the functions from the output library, so we have not included the source for it here. When this form is submitted, it triggers the change_passwd.php script, which is shown in Listing 24.15. Listing 24.15 change_passwd.php—This Script Attempts to Change a User Password <?php require_once('bookmark_fns.php'); session_start(); do_html_header('Changing password'); // create short variable names $old_passwd = $HTTP_POST_VARS['old_passwd']; $new_passwd = $HTTP_POST_VARS['new_passwd']; $new_passwd2 = $HTTP_POST_VARS['new_passwd2']; check_valid_user(); if (!filled_out($HTTP_POST_VARS)) { echo 'You have not filled out the form completely. Please try again.'; 30 525x ch24 1/24/03 3:36 PM Page 493 494 Chapter 24 Building User Authentication and Personalization display_user_menu(); do_html_footer(); exit; } else { if ($new_passwd!=$new_passwd2) echo 'Passwords entered were not the same. Not changed.'; else if (strlen($new_passwd)>16 || strlen($new_passwd)<6) echo 'New password must be between 6 and 16 characters. Try again.'; else { // attempt update if (change_password($HTTP_SESSION_VARS['valid_user'], $old_passwd, $new_passwd)) echo 'Password changed.'; else echo 'Password could not be changed.'; } } display_user_menu(); do_html_footer(); ?> This script checks that the user is logged in (using check_valid_user()), that she’s filled out the password form (using filled_out()), and that the new passwords are the same and the right length. None of this is new. If all that goes well, it will call the change_password() function as follows: if (change_password($HTTP_SESSION_VARS['valid_user'], $old_passwd, $new_passwd)) echo 'Password changed.'; else echo 'Password could not be changed.'; This function is from our user_auth_fns.php library, and the code for it is shown in Listing 24.16. Listing 24.16 change_password() Function from user_auth_fns.php—This Function Attempts to Update a User Password in the Database function change_password($username, $old_password, $new_password) // change password for username/old_password to new_password // return true or false { // if the old password is right // change their password to new_password and return true // else return false Listing 24.15 Continued 30 525x ch24 1/24/03 3:36 PM Page 494 495 Implementing User Authentication if (login($username, $old_password)) { if (!($conn = db_connect())) return false; $result = mysql_query( "update user set passwd = password('$new_password') where username = '$username'"); if (!$result) return false; // not changed else return true; // changed successfully } else return false; // old password was wrong } This function checks that the old password supplied was correct, using the login() function that we have already looked at. If it’s correct, then the function connects to the database and updates the password to the new value. Resetting Forgotten Passwords In addition to changing passwords, we need to deal with the common situation in which a user has forgotten her password. Notice that on the front page, login.php,we provide a link for users in this situation, marked,“Forgotten your password?”This link will take users to the script called forgot_form.php, which uses the output functions to display a form as shown in Figure 24.8. Listing 24.16 Continued Figure 24.8 The forgot_form.php script supplies a form in which users can ask to have their passwords reset and sent to them. 30 525x ch24 1/24/03 3:36 PM Page 495 496 Chapter 24 Building User Authentication and Personalization This script is very simple—just using the output functions—so we will not go through it here.When the form is submitted, it calls the forgot_passwd.php script, which is more interesting.This script is shown in Listing 24.17. Listing 24.17 forgot_passwd.php—This Script Resets a User’s Password to a Random Value and Emails Her the New One <?php require_once("bookmark_fns.php"); do_html_header("Resetting password"); //creating short variable name $username = $HTTP_POST_VARS['username']; if ($password=reset_password($username)) { if (notify_password($username, $password)) echo 'Your new password has been sent to your email address.'; else echo 'Your password could not be mailed to you.' .' Try pressing refresh.'; } else echo 'Your password could not be reset - please try again later.'; do_html_url('login.php', 'Login'); do_html_footer(); ?> As you can see, this script uses two main functions to do its job: reset_password() and notify_password(). Let’s look at each of these in turn. The reset_password() function generates a random password for the user and puts it into the database.The code for this function is shown in Listing 24.18. Listing 24.18 The reset_password() Function from user_auth_fns.php—This Script Resets a User’s Password to a Random Value and Emails Them the New One function reset_password($username) // set password for username to a random value // return the new password or false on failure { // get a random dictionary word b/w 6 and 13 chars in length $new_password = get_random_word(6, 13); if($new_password==false) return false; // add a number between 0 and 999 to it 30 525x ch24 1/24/03 3:36 PM Page 496 . Authentication and Personalization Listing 24.14 logout .php This Script Ends a User Session < ?php // include function files for this application require_once('bookmark_fns .php& apos;); session_start(); $old_user. change_passwd .php script, which is shown in Listing 24.15. Listing 24.15 change_passwd .php This Script Attempts to Change a User Password < ?php require_once('bookmark_fns .php& apos;); session_start(); do_html_header('Changing. forgot_passwd .php script, which is more interesting.This script is shown in Listing 24.17. Listing 24.17 forgot_passwd .php This Script Resets a User’s Password to a Random Value and Emails Her