[Typo3-dev] Authentication through "Security-Question/Answer"?

Christian Trabold trabold at mehrwert.de
Tue Aug 2 13:09:04 CEST 2005 

Hello Martin,

>>> Well, I think you can do PAM authentication with some wrappers 
>>> provided that all you need is a login/pwd pair for credentials.
>>>
>>> If you need a two step user interaction (user enters first part of 
>>> credentials [username], server sends phrase, users enters second part 
>>> [answer]) you need a custom login form extension. And I don't think 
>>> this will fit well in the TYPO3 authentication layer as it expects 
>>> this login/pwd pair. But perhaps you can fake it and do the real 
>>> authentication in the plugin and have some token to be passed on a 
>>> special authentication service that does no real authentication but 
>>> just checks for this token.
[...]
> Could you describe the process in detail. This is how I understand it:
> 
> * display 1st form (username)
> * check username
> * display 2nd form (passphrase)
> * check passphrase
> 
> These steps should be done in your plugin.
> 
> Now you must post login data in the form field "user" and "pass" to 
> invoke the TYPO3 authentication. Best would be to use these field names 
> for the second form.
> 
> The evalution of the form values would then be in your authentication 
> service and not in the plugin. Otherwise no user session will be 
> created. I think it's this what you are experiencing.

this is how I did it finally:

If you click the "forgot password"-link, one form with three fields 
shows up:

an input-field for username ('user'), a selectbox with different 
question-phrases ('phrase') and an input-field for the answer ('answer').

After submit, the POST-Data will be recognized. I try to get the 
password from the external table with "WHERE username=".$user." AND 
phrase = ". $phrase." AND answer = ". $answer ." ... ".

If this is true / if this user is real, the password is set into the 
hiddenfields of a new form. These fields are named "user" and "pass".

Now the user can submit this form to login - and change his password :)

This all takes place in the login-extension. No special service needed.


Many thanks for your help!!

Christian

More information about the TYPO3-dev mailing list