Force Users To Change Password on First Login
up vote
-1
down vote
favorite
I'm working on this login form at the moment (I didn't paste the code but it is above my posted code in my file). Basically, when I create a new user I want a random password to be generated (which in the future will be emailed to the user). For that reason I decided not to encrypt the randomly generated password and it's giving me trouble now... My below code is attempting to redirect people with active = 0 to the first_login page, where they will be forced to change their password which will turn them into an active user. But I want people with active = 1 to be able to login with their encrypted password. Please tell me what I'm doing wrong and thanks for your help. Check out my code below.......
session_start();
include($_SERVER['DOCUMENT_ROOT'].'/crm/connect/db.php');
mysqli_select_db($conn, 'users');
if($_SERVER["REQUEST_METHOD"] == "POST") {
$user=mysqli_real_escape_string($conn,$_POST['user']);
$pass=mysqli_real_escape_string($conn,$_POST['pass']);
$hashedpassword = password_hash ($pass, PASSWORD_DEFAULT);
$sql="select * from users where username ='$user'";
$result=mysqli_query($conn,$sql);
$row=mysqli_fetch_array($result, MYSQLI_ASSOC);
$role = $row["admin"];
if ($row["active"] == 0 && $pass = $row["password"]){
header('location:initial_login.php');
}
elseif(password_verify($pass, $row["password"])){
$_SESSION['username'] = $user;
$_SESSION['admin'] = $role;
header('location:index.php');
}else{
echo 'incorrect!';
}
}
/// PROBLEM SOLVED - changed $pass = $row["password"] to $pass == $row["password"] ///
session_start();
include($_SERVER['DOCUMENT_ROOT'].'/crm/connect/db.php');
mysqli_select_db($conn, 'users');
if($_SERVER["REQUEST_METHOD"] == "POST") {
$user=mysqli_real_escape_string($conn,$_POST['user']);
$pass=mysqli_real_escape_string($conn,$_POST['pass']);
$hashedpassword = password_hash ($pass, PASSWORD_DEFAULT);
$sql="select * from users where username ='$user'";
$result=mysqli_query($conn,$sql);
$row=mysqli_fetch_array($result, MYSQLI_ASSOC);
$role = $row["admin"];
if ($row["active"] == 0 && $pass == $row["password"]){
header('location:initial_login.php');
}else{
echo 'incorrect!';
if(password_verify($pass, $row["password"])){
$_SESSION['username'] = $user;
$_SESSION['admin'] = $role;
header('location:index.php');
}else{
echo 'incorrect!';
}
}
}
php
asked Nov 22 at 16:19
Daniel Violante
33
|
show 9 more comments
up vote
-1
down vote
favorite
I'm working on this login form at the moment (I didn't paste the code but it is above my posted code in my file). Basically, when I create a new user I want a random password to be generated (which in the future will be emailed to the user). For that reason I decided not to encrypt the randomly generated password and it's giving me trouble now... My below code is attempting to redirect people with active = 0 to the first_login page, where they will be forced to change their password which will turn them into an active user. But I want people with active = 1 to be able to login with their encrypted password. Please tell me what I'm doing wrong and thanks for your help. Check out my code below.......
session_start();
include($_SERVER['DOCUMENT_ROOT'].'/crm/connect/db.php');
mysqli_select_db($conn, 'users');
if($_SERVER["REQUEST_METHOD"] == "POST") {
$user=mysqli_real_escape_string($conn,$_POST['user']);
$pass=mysqli_real_escape_string($conn,$_POST['pass']);
$hashedpassword = password_hash ($pass, PASSWORD_DEFAULT);
$sql="select * from users where username ='$user'";
$result=mysqli_query($conn,$sql);
$row=mysqli_fetch_array($result, MYSQLI_ASSOC);
$role = $row["admin"];
if ($row["active"] == 0 && $pass = $row["password"]){
header('location:initial_login.php');
}
elseif(password_verify($pass, $row["password"])){
$_SESSION['username'] = $user;
$_SESSION['admin'] = $role;
header('location:index.php');
}else{
echo 'incorrect!';
}
}
/// PROBLEM SOLVED - changed $pass = $row["password"] to $pass == $row["password"] ///
session_start();
include($_SERVER['DOCUMENT_ROOT'].'/crm/connect/db.php');
mysqli_select_db($conn, 'users');
if($_SERVER["REQUEST_METHOD"] == "POST") {
$user=mysqli_real_escape_string($conn,$_POST['user']);
$pass=mysqli_real_escape_string($conn,$_POST['pass']);
$hashedpassword = password_hash ($pass, PASSWORD_DEFAULT);
$sql="select * from users where username ='$user'";
$result=mysqli_query($conn,$sql);
$row=mysqli_fetch_array($result, MYSQLI_ASSOC);
$role = $row["admin"];
if ($row["active"] == 0 && $pass == $row["password"]){
header('location:initial_login.php');
}else{
echo 'incorrect!';
if(password_verify($pass, $row["password"])){
$_SESSION['username'] = $user;
$_SESSION['admin'] = $role;
header('location:index.php');
}else{
echo 'incorrect!';
}
}
}
php
asked Nov 22 at 16:19
Daniel Violante
33
What exactly is going wrong?
– Jerodev
Nov 22 at 16:28
I would suggest you to encrypt the random password too. All passwords must be treated like equal. So basically what you do is to encrypt the password in the JS side when the user attempt to login. You could create a new column in your database which stores the first password in order to send it to the users
– Osakr
Nov 22 at 16:28
3
You haven't actually told us what is going wrong with your current code, but you have at least one typo:pass = $row["password"]should bepass == $row["password"]
– IMSoP
Nov 22 at 16:29
@Osakr I would be willing to do that, my only question is how I would achieve sending them their password through email after if its encrypted. Let me know if theres a way. Thanks for your response
– Daniel Violante
Nov 22 at 16:29
Whats going wrong is that its going straight to initial_login.php regardless of what active is or what the password is. It seems like its just straight up wrong
– Daniel Violante
Nov 22 at 16:31
|
show 9 more comments
up vote
-1
down vote
favorite
up vote
-1
down vote
favorite
I'm working on this login form at the moment (I didn't paste the code but it is above my posted code in my file). Basically, when I create a new user I want a random password to be generated (which in the future will be emailed to the user). For that reason I decided not to encrypt the randomly generated password and it's giving me trouble now... My below code is attempting to redirect people with active = 0 to the first_login page, where they will be forced to change their password which will turn them into an active user. But I want people with active = 1 to be able to login with their encrypted password. Please tell me what I'm doing wrong and thanks for your help. Check out my code below.......
session_start();
include($_SERVER['DOCUMENT_ROOT'].'/crm/connect/db.php');
mysqli_select_db($conn, 'users');
if($_SERVER["REQUEST_METHOD"] == "POST") {
$user=mysqli_real_escape_string($conn,$_POST['user']);
$pass=mysqli_real_escape_string($conn,$_POST['pass']);
$hashedpassword = password_hash ($pass, PASSWORD_DEFAULT);
$sql="select * from users where username ='$user'";
$result=mysqli_query($conn,$sql);
$row=mysqli_fetch_array($result, MYSQLI_ASSOC);
$role = $row["admin"];
if ($row["active"] == 0 && $pass = $row["password"]){
header('location:initial_login.php');
}
elseif(password_verify($pass, $row["password"])){
$_SESSION['username'] = $user;
$_SESSION['admin'] = $role;
header('location:index.php');
}else{
echo 'incorrect!';
}
}
/// PROBLEM SOLVED - changed $pass = $row["password"] to $pass == $row["password"] ///
session_start();
include($_SERVER['DOCUMENT_ROOT'].'/crm/connect/db.php');
mysqli_select_db($conn, 'users');
if($_SERVER["REQUEST_METHOD"] == "POST") {
$user=mysqli_real_escape_string($conn,$_POST['user']);
$pass=mysqli_real_escape_string($conn,$_POST['pass']);
$hashedpassword = password_hash ($pass, PASSWORD_DEFAULT);
$sql="select * from users where username ='$user'";
$result=mysqli_query($conn,$sql);
$row=mysqli_fetch_array($result, MYSQLI_ASSOC);
$role = $row["admin"];
if ($row["active"] == 0 && $pass == $row["password"]){
header('location:initial_login.php');
}else{
echo 'incorrect!';
if(password_verify($pass, $row["password"])){
$_SESSION['username'] = $user;
$_SESSION['admin'] = $role;
header('location:index.php');
}else{
echo 'incorrect!';
}
}
}
php
asked Nov 22 at 16:19
Daniel Violante
33
I'm working on this login form at the moment (I didn't paste the code but it is above my posted code in my file). Basically, when I create a new user I want a random password to be generated (which in the future will be emailed to the user). For that reason I decided not to encrypt the randomly generated password and it's giving me trouble now... My below code is attempting to redirect people with active = 0 to the first_login page, where they will be forced to change their password which will turn them into an active user. But I want people with active = 1 to be able to login with their encrypted password. Please tell me what I'm doing wrong and thanks for your help. Check out my code below.......
session_start();
include($_SERVER['DOCUMENT_ROOT'].'/crm/connect/db.php');
mysqli_select_db($conn, 'users');
if($_SERVER["REQUEST_METHOD"] == "POST") {
$user=mysqli_real_escape_string($conn,$_POST['user']);
$pass=mysqli_real_escape_string($conn,$_POST['pass']);
$hashedpassword = password_hash ($pass, PASSWORD_DEFAULT);
$sql="select * from users where username ='$user'";
$result=mysqli_query($conn,$sql);
$row=mysqli_fetch_array($result, MYSQLI_ASSOC);
$role = $row["admin"];
if ($row["active"] == 0 && $pass = $row["password"]){
header('location:initial_login.php');
}
elseif(password_verify($pass, $row["password"])){
$_SESSION['username'] = $user;
$_SESSION['admin'] = $role;
header('location:index.php');
}else{
echo 'incorrect!';
}
}
/// PROBLEM SOLVED - changed $pass = $row["password"] to $pass == $row["password"] ///
session_start();
include($_SERVER['DOCUMENT_ROOT'].'/crm/connect/db.php');
mysqli_select_db($conn, 'users');
if($_SERVER["REQUEST_METHOD"] == "POST") {
$user=mysqli_real_escape_string($conn,$_POST['user']);
$pass=mysqli_real_escape_string($conn,$_POST['pass']);
$hashedpassword = password_hash ($pass, PASSWORD_DEFAULT);
$sql="select * from users where username ='$user'";
$result=mysqli_query($conn,$sql);
$row=mysqli_fetch_array($result, MYSQLI_ASSOC);
$role = $row["admin"];
if ($row["active"] == 0 && $pass == $row["password"]){
header('location:initial_login.php');
}else{
echo 'incorrect!';
if(password_verify($pass, $row["password"])){
$_SESSION['username'] = $user;
$_SESSION['admin'] = $role;
header('location:index.php');
}else{
echo 'incorrect!';
}
}
}
php
php
asked Nov 22 at 16:19
Daniel Violante
33
asked Nov 22 at 16:19
Daniel Violante
33
edited Nov 22 at 16:39
asked Nov 22 at 16:19
Daniel Violante
33
asked Nov 22 at 16:19
Daniel Violante
33
asked Nov 22 at 16:19
Daniel Violante
33
33
What exactly is going wrong?
– Jerodev
Nov 22 at 16:28
I would suggest you to encrypt the random password too. All passwords must be treated like equal. So basically what you do is to encrypt the password in the JS side when the user attempt to login. You could create a new column in your database which stores the first password in order to send it to the users
– Osakr
Nov 22 at 16:28
3
You haven't actually told us what is going wrong with your current code, but you have at least one typo:pass = $row["password"]should bepass == $row["password"]
– IMSoP
Nov 22 at 16:29
@Osakr I would be willing to do that, my only question is how I would achieve sending them their password through email after if its encrypted. Let me know if theres a way. Thanks for your response
– Daniel Violante
Nov 22 at 16:29
Whats going wrong is that its going straight to initial_login.php regardless of what active is or what the password is. It seems like its just straight up wrong
– Daniel Violante
Nov 22 at 16:31
|
show 9 more comments
What exactly is going wrong?
– Jerodev
Nov 22 at 16:28
I would suggest you to encrypt the random password too. All passwords must be treated like equal. So basically what you do is to encrypt the password in the JS side when the user attempt to login. You could create a new column in your database which stores the first password in order to send it to the users
– Osakr
Nov 22 at 16:28
3
You haven't actually told us what is going wrong with your current code, but you have at least one typo:pass = $row["password"]should bepass == $row["password"]
– IMSoP
Nov 22 at 16:29
@Osakr I would be willing to do that, my only question is how I would achieve sending them their password through email after if its encrypted. Let me know if theres a way. Thanks for your response
– Daniel Violante
Nov 22 at 16:29
Whats going wrong is that its going straight to initial_login.php regardless of what active is or what the password is. It seems like its just straight up wrong
– Daniel Violante
Nov 22 at 16:31
What exactly is going wrong?
– Jerodev
Nov 22 at 16:28
What exactly is going wrong?
– Jerodev
Nov 22 at 16:28
I would suggest you to encrypt the random password too. All passwords must be treated like equal. So basically what you do is to encrypt the password in the JS side when the user attempt to login. You could create a new column in your database which stores the first password in order to send it to the users
– Osakr
Nov 22 at 16:28
I would suggest you to encrypt the random password too. All passwords must be treated like equal. So basically what you do is to encrypt the password in the JS side when the user attempt to login. You could create a new column in your database which stores the first password in order to send it to the users
– Osakr
Nov 22 at 16:28
3
3
You haven't actually told us what is going wrong with your current code, but you have at least one typo:
pass = $row["password"] should be pass == $row["password"]– IMSoP
Nov 22 at 16:29
You haven't actually told us what is going wrong with your current code, but you have at least one typo:
pass = $row["password"] should be pass == $row["password"]– IMSoP
Nov 22 at 16:29
@Osakr I would be willing to do that, my only question is how I would achieve sending them their password through email after if its encrypted. Let me know if theres a way. Thanks for your response
– Daniel Violante
Nov 22 at 16:29
@Osakr I would be willing to do that, my only question is how I would achieve sending them their password through email after if its encrypted. Let me know if theres a way. Thanks for your response
– Daniel Violante
Nov 22 at 16:29
Whats going wrong is that its going straight to initial_login.php regardless of what active is or what the password is. It seems like its just straight up wrong
– Daniel Violante
Nov 22 at 16:31
Whats going wrong is that its going straight to initial_login.php regardless of what active is or what the password is. It seems like its just straight up wrong
– Daniel Violante
Nov 22 at 16:31
|
show 9 more comments
active
oldest
votes
active
oldest
votes
active
oldest
votes
active
oldest
votes
active
oldest
votes
Thanks for contributing an answer to Stack Overflow!
- Please be sure to answer the question. Provide details and share your research!
But avoid …
- Asking for help, clarification, or responding to other answers.
- Making statements based on opinion; back them up with references or personal experience.
To learn more, see our tips on writing great answers.
Some of your past answers have not been well-received, and you're in danger of being blocked from answering.
Please pay close attention to the following guidance:
- Please be sure to answer the question. Provide details and share your research!
But avoid …
- Asking for help, clarification, or responding to other answers.
- Making statements based on opinion; back them up with references or personal experience.
To learn more, see our tips on writing great answers.
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function () {
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fstackoverflow.com%2fquestions%2f53434910%2fforce-users-to-change-password-on-first-login%23new-answer', 'question_page');
}
);
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
What exactly is going wrong?
– Jerodev
Nov 22 at 16:28
I would suggest you to encrypt the random password too. All passwords must be treated like equal. So basically what you do is to encrypt the password in the JS side when the user attempt to login. You could create a new column in your database which stores the first password in order to send it to the users
– Osakr
Nov 22 at 16:28
3
You haven't actually told us what is going wrong with your current code, but you have at least one typo:
pass = $row["password"]should bepass == $row["password"]– IMSoP
Nov 22 at 16:29
@Osakr I would be willing to do that, my only question is how I would achieve sending them their password through email after if its encrypted. Let me know if theres a way. Thanks for your response
– Daniel Violante
Nov 22 at 16:29
Whats going wrong is that its going straight to initial_login.php regardless of what active is or what the password is. It seems like its just straight up wrong
– Daniel Violante
Nov 22 at 16:31