 Posted - 03/13/2024 : 06:49:07
I found that we added our own hashed password column to the database many years ago and most accounts had the clPW field blank. I added the below logic and it pulls one of the passwords with clPW as prio and properly creates the RSK token. if NOT dofloodcontrol then ' logic to be able to reset old passwords using our hash if the clPW field is blank in the database. Dim passwordHash If Trim(rs("clPW")) <> "" Then passwordHash = rs("clPW") Else passwordHash = rs("clpasswordhash") End If if htmlemails=TRUE then emlNl="<br />" else emlNl=vbCrLf tlink=storeurl & pagename & "?rst=" & theemail & "&rsk=" & passwordHash if htmlemails=TRUE then tlink="<a href=""" & tlink & """>" & tlink & "</a>" also needed to check custom column as a fallback upon reset logic: sSQL="SELECT clID, FROM customerlogin WHERE clEmail='" & escape_string(getget("rst")) & "' AND (clPw='" & escape_string(getget("rsk")) & "' OR clpasswordhash='" & escape_string(getget("rsk")) & "')" **Is there an option for requiring a verification email for a new account and forcing them to enter email twice on the new account form? **Also, this method is insecure. It exposes the hashed password, has no expiry and the link seems to be active forever. The password is also still MD5 and not SHA256. Is there a fix for this now or planned in the future?
Edited by - Dermontti on 03/13/2024 07:45:27
| 
Password reset token missing for old accounts