Feb. 9., 2010

Enhanced password recovery for Frontend users in TYPO3 4.3

By Steffen Müller. Licensed under the Creative Commons License

Password recovery for frontend users before TYPO3 4.3 was poor and insecure: Passwords were sent by e-mail in plain text, the recovery form could be abused and revealed private information to public. While implementing the felogin sysext for a community website, I surprisingly found some fundamental changes in the recovery method in TYPO3 4.3.

In TYPO3 4.3, the password recovery method was refactored by Steffen Kamper and now looks much better than before. Let me demonstrate it step by step.

How does FE-user password recovery work?

1) Send your e-mail or username to recover the account password:

2) If the e-mail or username exists, you'll get a mail with a tokenized link to create a new password.

Check your e-mail account and open the link within the limited timeframe. The link has a token, which combines the timestamp and a hash to identify the request:

3) Enter the new password twice. There is a simple check for password lenght:

4) Finished. The new password has been saved to the database and you can proceed to login:

Problems I met

When trying the new recovery stuff, it first did not work. But after some debugging I found out, that some POST parameters were missing, because I used an outdated custom template file. If you use a custom template, make sure to update it accordingly.

Some further aspects

To configure the FE output and email text, have a look at the TypoScript of the extension with template analyzer. You could also override the content of the locallang files with TypoScript:

plugin.tx_felogin_pi1._LOCAL_LANG.[lang].label = text

Of course the password check could be enhanced by adding more complex checks. But anyway, felogin in 4.3 looks very good. The documentation claims that recovery also works with saltedpasswords sysext. That's great, because the FE-user stuff now looks much more secure than before. Salted password for TYPO3 are explained in a blog article by Marcus Krause. Unfortunately, the sr_feuser_register extension does not (yet) natively support saltedpasswords. But you can try the extension srfeuserregister_t3secsaltedpw from TER, which should work as a bridge.

Lessons learned

  • If you use custom template files, have a look for changes in the original files of new releases. In case of felogin, there have been major changes from 4.2 to 4.3. It was neccessary to update my custom template manually.
  • No matter how hard you try to follow the core changelog, there's always the chance to find a feature by surprise.

--> Back to the list of articles

License

Licensed under creative commonsThis article is licensed under the Creative Commons License CC BY-SA 3.0. You are free to share (copy, distribute and transmit) and to remix (to adapt) the work under the following conditions:

  • You must attribute the work by mentioning the name of the author (Steffen Müller) and setting a link back to the original article using its URL.
  • If you alter, transform, or build upon this work, you may distribute the resulting work only under the same or similar license to this one.

Comments

Leave a comment:

This page uses static caches. Make sure you reload the page in your browser after posting a comment.

(will not be published)

CAPTCHA image for SPAM prevention Click here for audio version of the word to enter.

If you can't read the captcha word, please click to load a new image.
(You need Javascript turned on. Otherwise press the submit button and wait until the page has reloaded.)