Jump to content

Frontend password reset

Recommended Posts

The modules don't really work for me. I have a custom login and registration process directly in template files and just want to add password reset. I don't need admin etc.

The following works:


if($user->isLoggedin()) {


} else {

if ($input->post->submitforgot) {

	$email = $input->post->useroremail;

	if (filter_var($email, FILTER_VALIDATE_EMAIL)) {
		$finduser = $users->get("email=".$email);
		$founduser = $finduser->name;

		} else {
		$founduser = $input->post->useroremail;
    if($users->get($founduser)->id) {
            $lostmember = $users->get($founduser);
            $note = 'We found your account. Check your inbox for an email with a password reset link.';
            $pass = passworder(8);
            $activation = md5($pass."randomstringhereforextraprotection");
            $lostmember->activation = $activation;
            $activationlink = 'https://' . $config->httpHost . $_SERVER['REQUEST_URI'] . '?key='. $activation .'#join';
            $message = strip_tags(wirePopulateStringTags($pages->get('/join')->passreset_message,[ 'fullname' => $lostmember->fullname, 'activatelink' => $activationlink, 'username' => $lostmember->name ]));
            $mail->send($lostmember->email, 'My Website<admin@mywebsite.com>', 'Your password reset link', $message);

        } else {
            $note = 'Member does not exist. What are you even doing here?';
if ($note) {
	echo $note;
} else {

    <form action='<?php echo $config->urls->root; ?>#forgot' method=post id=forgotpass autocomplete=on>
    <section class=field>        
    <label for=useroremail>Email or username</label>
    <input id=useroremail type=text name=useroremail placeholder='' autocomplete=username required>

	<input type=submit name=submitforgot value='reset password' />



My PHP knowledge is very limited - I don't understand namespace, hooks, etc. etc. I have to start from a basic proof-of-concept and then improve on that as needed. 

Are there obvious mistakes in the code above?

Obvious security risks?

The process is really slow; it takes forever after clicking submit to find the user in the database. Could the code be more efficient?

Any comments / suggestions much appreciated.


Link to comment
Share on other sites

Hi @modifiedcontent have you considered just using Ryan's ProcessForgotPasswords module that is already part of PW and just loading it in your template file and having it take care of things for you?

I've not tried it myself in my own template files but it is certainly possible. Something like this might work for you on your reset page template (totally untested, but you seem to be willing to experiment)...


if ($user->isLoggedin()) {
} else {
    $pfp = wire()->modules->get("ProcessForgotPassword"); 
    $pfp->useInlineNotices = true;
    $pfp->emailFrom = 'your-from-address@your.domain';
    echo $pfp->execute();

There are several other settings like 'useInlineNotices' that are documented in the module from lines 17-28, linked here.

You'll be better served using this core module if you can, rather than writing something yourself.  If you do want to use this as a learning opportunity, and decide to go with your own code then I'd suggest research in the following areas: CSRF tokens, session variables, cryptographically secure random number generators, MD5 weaknesses and password hashing.

  • Like 1
  • Thanks 1
Link to comment
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now

  • Create New...