Figure 6-6: Flow diagram of the forgotten-password recovery application. Start End No Yes Yes Yes Step = 1? Does email address belong to a user? Get email address Is the request_checksum valid? Is password OK? Get new password from user Store encrypted password Send email to user with an URL that contains: user_id request_checksum step = 2 196 Part II: Developing Intranet Solutions 09 549669 ch06.qxd 4/4/03 9:24 AM Page 196 Implementing the forgotten-password recovery application The forgotten-password recovery application implements the methods: ◆ resetPasswordDriver(): This method uses the global form variable, $step, to determine phases of the forgotten password recovery process. The tasks performed by this method are as follows: 1. When $step is unset, the first step in the process is assumed and the user is provided an interface to enter her username (EMAIL) address. 2. When the user has entered the username, the interface supplies a new value (2) for $step, which is embedded as a hidden field within the HTML form displayed in the first step. 3. In the second step, the method calls sendEmail() to send an e-mail to the user with a link that enables her to return to this application and enter the third step. 4. When the user clicks on the e-mailed link, a user interface that enables the user to change her password is presented. Submitting the new pass- word with the confirmation password makes the method enter the final step. 5. In the final step, the method calls resetPassword() to reset the exist- ing password with the newly entered password. ◆ resetPassword(): This method performs the actual task of resetting the existing password to the newly entered password. It works as follows: 1. It uses getCheckSum() to calculate the checksum of the request, and then compares it with the given checksum. If they don’t match, the application shows an alert message and returns the user to the last screen. 2. It uses checkPassword() to check the password for length and dummy password issues. 3. It creates a two-character salt using two random characters, and then encrypts the user-entered password, adding it to an associative array called $hash. Chapter 6: Central User Management System 197 09 549669 ch06.qxd 4/4/03 9:24 AM Page 197 4. It creates a User object, $userObj, and calls getUserInfo() to load the user information. 5. It calls updateUser() with $hash as the parameter. updateUser() performs the actual database operation of updating the password. It only updates the password because $hash contains only the password information. 6. It displays the appropriate success or failure status message. ◆ email(): This method is called by showScreen() to populate the e-mail template, which becomes the HTML message sent to the user who is requesting the change for a forgotten password. It works as follows: 1. It creates a User object, $userObj, and uses getUserIDByName() to retrieve the user’s ID. 2. It returns FALSE if the user ID is not found. Otherwise, it uses getCheckSum() to generate a checksum for the cur- rent user ID. 3. It incorporates the checksum value in a URL along with the user ID and step value set to 3. 4. It embeds the forgotten password application URL into the HTML tem- plate by replacing the PASSWORD_URL tag with the URL value. 5. It returns TRUE status. The following are other methods implemented in this application. Method Description run() Calls the resetPasswordDriver(), which is responsible for managing the entire forgotten-password process. sendEmail() Sends an e-mail link to the user, which she can use to return to the forgotten password application to enter a new password. The e-mail message is read as an HTML template, which is processed by the showScreen() method. The showScreen() method calls the email() method to create the actual message, which sendEmail() method sends to the user. getCheckSum() Creates a checksum value using the user ID and a secret random number loaded from the configuration file. The checksum number is used to protect the e-mailed link from being generated by an unfriendly user. 198 Part II: Developing Intranet Solutions 09 549669 ch06.qxd 4/4/03 9:24 AM Page 198 Method Description checkPassword() Checks the user-entered password for length and confirmation tests. get_username() Called by showScreen() method when displaying the user name entry interface as the first step in resetting the forgotten password. reset_pwd() Called by showScreen() method when displaying the password entry interface as the third step in resetting the forgotten password. authorize() Because anyone can request to change her password, the authorization method always returns TRUE. Listing 6-7 shows the code for the forgotten-password recovery application. Listing 6-7: usermngr_forgotten_pwd.php <?php // Turn on all error reporting error_reporting(E_ALL); // If you have installed framewirk directory in // a different directory than // %DocumentRoot%/framework, change the setting below. $APP_FRAMEWORK_DIR=$_SERVER[‘DOCUMENT_ROOT’] . ‘/framework’; $PEAR =$_SERVER[‘DOCUMENT_ROOT’] . ‘/pear’; $PHPLIB =$_SERVER[‘DOCUMENT_ROOT’] . ‘/phplib’; // Insert the path in the PHP include_path so that PHP // looks for PEAR, PHPLIB and our application framework // classes in these directories ini_set( ‘include_path’, ‘:’ . $PEAR . ‘:’ . $PHPLIB . ‘:’ . $APP_FRAMEWORK_DIR . ‘:’ . ini_get(‘include_path’)); $AUTHENTICATION_URL = “/login/login.php”; $LOGOUT_URL = “/logout/logout.php”; Continued Chapter 6: Central User Management System 199 09 549669 ch06.qxd 4/4/03 9:24 AM Page 199 Listing 6-7 (Continued) $APP_MENU = ‘/home/home.php’; $APPLICATION_NAME = ‘USER_MNGR’; $XMAILER_ID = ‘Example User Manager Version 1.0’; $DEFAULT_LANGUAGE = ‘US’; $DEFAULT_DOMAIN = ‘example.com’; $ROOT_PATH = $_SERVER[‘DOCUMENT_ROOT’]; $REL_ROOT_PATH = ‘/user_mngr’; $REL_APP_PATH = $REL_ROOT_PATH . ‘/apps’; $TEMPLATE_DIR = $ROOT_PATH . $REL_APP_PATH . ‘/templates’; $CLASS_DIR = $ROOT_PATH . $REL_APP_PATH . ‘/class’; $REL_TEMPLATE_DIR = $REL_APP_PATH . ‘/templates/’; require_once “user_mngr.errors”; require_once “user_mngr.messages”; require_once ‘DB.php’; require_once $APP_FRAMEWORK_DIR . ‘/’ . ‘constants.php’; require_once $APP_FRAMEWORK_DIR . ‘/’ . $APPLICATION_CLASS; require_once $APP_FRAMEWORK_DIR . ‘/’ . $ERROR_HANDLER_CLASS; require_once $APP_FRAMEWORK_DIR . ‘/’ . $AUTHENTICATION_CLASS; require_once $APP_FRAMEWORK_DIR . ‘/’ . $DBI_CLASS; require_once $APP_FRAMEWORK_DIR . ‘/’ . $USER_CLASS; require_once $TEMPLATE_CLASS; $MIN_USERNAME_SIZE= 3; $MIN_PASSWORD_SIZE= 3; $DUMMY_PASSWD = ‘1234567890’; $ROOT_USER = ‘kabir@evoknow.com’; $SECRET = 916489; $CHAR_SET = ‘charset=iso-8859-1’; // Application names $USERMNGR_MNGR = ‘user_mngr.php’; $USERMNGR_FORGOTTEN_APP = ‘user_mngr_forgotten_pwd.php’; $USERMNGR_CHANGE_PWD_APP = ‘user_mngr_passwd.php’; /* START TABLE NAMES */ $APP_DB_URL = ‘mysql://root:foobar@localhost/auth’; $AUTH_DB_TBL = ‘users’; 200 Part II: Developing Intranet Solutions 09 549669 ch06.qxd 4/4/03 9:24 AM Page 200 . =$_SERVER[‘DOCUMENT_ROOT’] . ‘/pear’; $PHPLIB =$_SERVER[‘DOCUMENT_ROOT’] . ‘/phplib’; // Insert the path in the PHP include_path so that PHP // looks for PEAR, PHPLIB and our application framework //. ‘include_path’, ‘:’ . $PEAR . ‘:’ . $PHPLIB . ‘:’ . $APP_FRAMEWORK_DIR . ‘:’ . ini_get(‘include_path’)); $AUTHENTICATION_URL = “/login/login .php ; $LOGOUT_URL = “/logout/logout .php ; Continued Chapter 6:. Application names $USERMNGR_MNGR = ‘user_mngr .php ; $USERMNGR_FORGOTTEN_APP = ‘user_mngr_forgotten_pwd .php ; $USERMNGR_CHANGE_PWD_APP = ‘user_mngr_passwd .php ; /* START TABLE NAMES */ $APP_DB_URL