[TYPO3-core] RFC: #10017: [felogin] New Method for "forgotPassword"

Steffen Kamper info at sk-typo3.de
Fri Dec 26 19:26:20 CET 2008


Hi olly,

Oliver Hader schrieb:
> Hi Steffen,
> 
> Steffen Kamper schrieb:
>> This is SVN patch request.
>>
>> Type: Feature
>>
>> Branches: trunk
>>
>> BT reference: http://bugs.typo3.org/view.php?id=9885
> 
> We should get rid of sending the plain-text password in general and use
> something like Bernhard's MD5PW extension or even better the new salted
> one. I know that there are more steps to be taken (e.g. also provide
> update wizard to convert existing FE users if still plain-text method is
> used). So, what do you think?
> 

yes. There is the plan to create a core class like t3lib_crypt having 
md5, salt, sha etc.
At the moment i suggest the salt extension from security team, which 
comes with an update wizard to convert the existing passwords.

> I looked into your patch for some minutes and have some remarks:
> * there are the POST/GET arguments 'forgot_hash' and 'forgothash' - are
> there differences?

yes, there is

forgot_hash is the $_POST-var, forgothash is the $_GET-var generated for 
the "change password"-link in the email.


> * there's a new method changePassword(), but where is it called?
> 

shame on me, 2 lines missing in the trunk patch, is in now in attached 
patch.

vg Steffen

-------------- next part --------------
An embedded and charset-unspecified text was scrubbed...
Name: felogin_forget_password_changepassword_trunk_v2.diff
Url: http://lists.netfielders.de/pipermail/typo3-team-core/attachments/20081226/409ee61c/attachment-0001.txt 


More information about the TYPO3-team-core mailing list