lost password

[Frank Vèssia]

Any idea to menage a lost password function for users?

[ryan]

The passwords in ProcessWire are not reversible (unless you keep a copy of them somewhere else), so you would need to email a password reset email, as opposed to a feature that emails them their actual password. This is something that will be included with the new user system. However, if you wanted to do it now, you would have a "forgot password" link that they click on. It would click to a page with a template that would look up the email address for the user (email address stored per our earlier thread) and it would send them a special URL where they can reset their password. Likely it would be the same URL as the "forgot password" page, but with a special token in the URL to identify that they really did receive the email. There are a lot of security considerations with a feature like this that go beyond the scope of what may be practical to write in code here, but the actual password resetting part is the easiest part:

$user = $users->get("user's name"); 
$user->pass = "user's new password";
$user->save(); 

You will want to be very careful before resetting the password to ensure that the user really is who they say they are. Because ProcessWire doesn't have email addresses in it's current user system, there isn't any way for it to confirm that the person really is who they say they are in a lost password function (which is why there isn't one). But since you are storing email addresses (per our earlier thread) it will be possible for you to implement a password reset function. When someone requests a password reset, you will email them a URL with a sufficiently complex randomly generated code as a GET var. I recommend something like sha1(microtime() . mt_rand() . $email). You will also want to store that code locally with the user in a new field, as well as in $session (i.e. $session->code). When they click the URL to your site (from the email they received), the template handling that page will examine the code and verify that it matches up with the code stored with the user, and likewise matches up with the code stored in $session. Now give the user a form where they can enter a new password, and set a new $session variable with the same code but under a different name, like $session->confirmed_code, and make $session->code blank.  Once submitted, get the confirmed_code from the $session and find the user that has it stored. Change the password to the one they submitted (per the PHP snippet above). Be sure to remove the password reset code from the user's record in the database, and unset $session->confirmed_code. This is roughly the approach that will be taken with ProcessWire's new user system, but with a couple extra security checks (code expiration for one).

[Frank Vèssia]

thanks, i will try

[ryan]

If you are okay with the security implications of it (unencrypted or unhashed passwords), you could also just keep a copy of their current password in your /members/ pages and email it to them when they forget. You wouldn't want to do this on a site used for anything sensitive, but it may be fine to do for your needs.