Set password on registration

[pilot830]

Let people set password right on the Registration page.. this way a password does not have to be emailed to them

Or you could email them as usual but for password field just put: ******** (censored)

This is for security reasons AND because the thing I'm noticing is that a percentage of users that are registering, their welcome / registration email is going to the SPAM FOLDER..So they sit around waiting for their login credentials not knowing its there in the spam folder

if you made it so that they could set the password right upon registration, then they could immediately begin using the site

 

[parham4229]

You can use services like mandrillapp.com to assure that they emails would go in to inbox and not the spam folder

 

[pilot830]

I'm aware but that is not the point

 

[pilot830]

Having users set a password on registration form (and then doing some sort of confirming their account via email after, but still being able to login) is especially important because im getting at least 5-10 accounts a month where they put in a invalid email and then what? How will I determine how many accounts are invalid email? I cant comb through thousands of accounts looking for invalid emails.

Like the current system is ensuring that we will ALL have a bunch of user accounts piling up with no valid email, as people tend to do this

 

[salesmcc134575]

I agree with this. We need to have the option to allow our members to create a password. Some of our members do NOT get the email even after waiting, and checking their spam. We have verified the email on file for them, and the email still won't get received. We have also tested our SMTP and it works perfect.

Please provide this option in the next update.

 

[yuser]

this would be an awesome feature because some ppl don't want to Login to Email for activation somebody maybe can do a php script for this ?

 

[pilot830]

There are many reasons to set password on registration, I agree and I hope it gets done because it is annoying so many people are having trouble logging in with their passwords, or their welcome email goes in the spam folder

 

[pilot830]

this would be an awesome feature because some ppl don't want to Login to Email for activation somebody maybe can do a php script for this ?

Why should we have to do something that is so obvious? Just right now, my emails are not going through.....So now people are not getting my emails

why would they need to worry about getting an email

when they could set the password themselves

And at least be able to log in , edit their email to a different one if theres a problem, and validate it

Why should I have I have to use a mail service, to ensure my mail goes into the inbox ?

Then when I use the mail service, the mail service is slow sometimes, and it takes forever to get the registration email ?

So then let me go run my own mail server, and even though ive setup spf, dkim, everything correct, It still goes to spam folder ?

Then people complain they either didn't get their email, or its taking too long

All could be avoided. It's really demoralizing. So we're suppose to go make the custom changes ourselves, so that when yetishare releases a new version, it ends up undoing the change because they don't want to give people the ability to create pw on registration. So we end up having to re-make the custom change every single release. I get that they're busy, my issue is not that, my issue is being told by yetishare that they don't see setting the password on the registration form as better than currently. If they said, yea you're right, we're gonna do that at some point, that would be fine. But to tell me no, thats not a good idea....

 

[ysmods]

Something like this?

https://i.imgur.com/XnGIxkB.png

 

[salesmcc134575]

@ysmods: YES exactly like that!

 

[ysmods]

Download it for free: https://forums.ysmods.com/index.php/files/file/38-set-password-when-registering/

ps: only took 5 minutes to implement the code

 

[pilot830]

Dear ysmods,

Thank you for doing the free mod. Will the mod be updated with each release? If so, then I guess I have no reason not to use it. My issue is mostly that every yetishare release, if the ability to choose password is still not there upon registration, then we will have to keep re-implementing a mod or change. But if you're saying you will update, then ok i guess thats cool

 

[ysmods]

Hi,

Yes the mod will be updated with each release, I have it on good authority that there will not be a major update for a couple of months at the earliest.

 

[jaredesguerra4757]

Ysmods , I think you need to change this

$newPassword = $password;

with

$newPassword = Password::createHash($password);

Else when the user tries to login , the password hash does not match since the password was initially saved as plain text.

Please correct me if i am wrong.

 

[ysmods]

Ysmods , I think you need to change this

$newPassword = $password;

with

$newPassword = Password::createHash($password);

Else when the user tries to login , the password hash does not match since the password was initially saved as plain text.

Please correct me if i am wrong.

You are completely wrong

When the user is added to the database, its using:

$newUser     = UserPeer::create($username, $newPassword, $emailAddress, $title, $firstname, $lastname);

Which is in userpeer.class.php

static function create($username, $password, $email, $title, $firstname, $lastname, $accType = 'user')
{
	$dbInsert                 = new DBObject("users", array("username", "password", "email",
		"title", "firstname", "lastname", "datecreated",
		"createdip", "status", "level_id", "paymentTracker", "identifier")
	);
	$dbInsert->username       = $username;
	$dbInsert->password       = MD5($password);
	$dbInsert->email          = $email;
	$dbInsert->title          = $title;
	$dbInsert->firstname      = $firstname;
	$dbInsert->lastname       = $lastname;
	$dbInsert->datecreated    = coreFunctions::sqlDateTime();
	$dbInsert->createdip      = coreFunctions::getUsersIPAddress();
	$dbInsert->status         = 'active';
	$dbInsert->level_id       = 1;
	$dbInsert->paymentTracker = MD5(time() . $username);
	$dbInsert->identifier     = MD5(time() . $username . $password);
	if ($dbInsert->insert())
	{
		return $dbInsert;
	}

	return false;
}

As you can see, the password is not stored in plain text because of this line

$dbInsert->password       = MD5($password);

Then when a user logs in for the first time the password is converted to the new hashing method

public function login($username, $rawPassword, $fromLoginForm = false)
{
	$rs = $this->convertPassword($username, $rawPassword);
	if ($rs == false)
	{
		return false;
	}
	return $this->attemptLogin($username, $rawPassword, false, $fromLoginForm);
}

This happens

$rs = $this->convertPassword($username, $rawPassword);

Which matches the md5'd password in the database with the plaintext password

if ($user['password'] == md5($rawPassword))

Then converts the password to sha256 instead of md5

$sha256Password = Password::createHash($rawPassword);

If I would have used

$newPassword = Password::createHash($password);

When the user was added to the database by UserPeer::create, the password is hashed using md5, so the hashed password from Password::createHash would never work

For example, the password was password
The password hashed using Password::createHash would be something like

sha256:1000:6fbPTSlmuvBZVm200aMhzVAnzNbPvY56:u7i03MfaWISj/Y0RA4BoKWHctyBNuvlo

The password hashed using md5 would be

5f4dcc3b5aa765d61d8327deb882cf99

So when the user is created using UserPeer::create Your already hashed password from Password::createHash would be hashed again using md5 into

9c66259fdd4c121d9a2770958eb42aab

and added to the database.

Then the user tries to log in

public function login($username, $rawPassword, $fromLoginForm = false)
{
   $rs = $this->convertPassword($username, $rawPassword);
   if ($rs == false)
   {
      return false;
   }
   return $this->attemptLogin($username, $rawPassword, false, $fromLoginForm);
}

The Password will always return false from $this->attemptLogin due to the password hashes not matching.

Only reason that $newPassword = $password; is because it was nearly 2am when I made that mod and to save editing a couple of things, I set $newPassword = $password;

 

[jaredesguerra4757]

Ok , thanks for the reply , makes sense.