如何生成随机密码，或临时的URL，Zend框架重置密码？ [英] How to generate random password, or temporary URL, for resetting password in Zend Framework?

问题描述

我有一个使用 Zend_Auth_Adapter_DbTable 基本的认证过程。我已经登录和注销我的身份验证控制器动作。现在，我想创建一个功能，通过自动生成一个密码，保存新的密码，并将它们发送与新生成的密码的电子邮件重置忘记的密码。

I have a basic authentication process that uses Zend_Auth_Adapter_DbTable. I have login and logout actions on my Authentication Controller. Now I want to create a function to reset forgotten passwords by automatically generating a password, saving the new password, and sending them an email with the newly generated password.

什么会去这样做的最好方法？我应该如何生成一个新的密码？是否Zend框架有任何可能使这更容易？

What would be the best process to go about doing this? How should I generate a new password? Does the Zend Framework have anything that would make this easier?

我也听说了一个链接到一个短期的页面，让他们设置新密码发送电子邮件。怎么可能这与Zend框架做了什么？

I have also heard about sending an email with a link to a short term page that lets them set a new password. How might this be done with the Zend Framework?

推荐答案

Zend框架没有一个密码生成类。下面是关于如何使用PEAR模块的一篇文章 Text_Password 来生成一个密码：
的https://web.archive.org/web/1/http://blogs.techrepublic%2ecom%2ecom/howdoi/?p=118

Zend Framework does not have a password-generating class. Here's an article on how to use the PEAR module Text_Password to generate a password: https://web.archive.org/web/1/http://blogs.techrepublic%2ecom%2ecom/howdoi/?p=118

不过，这不是一个良好的安全习惯在一个普通的电子邮件发送密码。相反，你应该重新设置自己的帐户，使他们可以暂时登录不给密码（给你的电子邮件发送的到期URL），一旦他们登录，要求他们更新自己的密码的东西的他们的认识。然后存储密码的哈希盐渍

However, it's not a good security practice to send the password in a plain email. Instead, you should reset their account so they can temporarily log in without giving a password (given an expiring URL you send them in the email), and once they log in, require them to update their own password to something they know. Then store the salted hash of their password.

下面是一些建议，把我的头在Zend框架做这个的顶部：

Here's some suggestion off the top of my head for doing this in Zend Framework:

• 定义表格 AccountReset 与字段： reset_id （GUID主键）， ACCOUNT_ID （参考 Accounts.account_id ）和过期（时间戳）。


• 实施所谓的行动的AccountController :: resetAction（），即在用于创建帐户，登录，更改密码等相同的控制器。


• 当用户选择重置自己的账户，插入一个 AccountReset 表中的新行新的GUID，用户的帐户，并且有一个过期 30分左右在未来。


• 发送电子邮件至该地址上的文件为该用户，包括他应该点击的URL：HTTPS ... /帐号/ RESET / reset_id / ＆LT; GUID 方式＆gt; （如果你是聪明与路由规则，可以缩短这个URL，但保留GUID的话）


• 当的AccountController :: resetAction（）收到请求时，它会在 reset_id 参数的 AccountReset 表。如果GUID存在，而过期时间还没有过去，present与表单用户更改自己的密码（不需要他进行身份验证和登录）。


• 如果 resetAction（）接收到没有GUID的请求，或GUID不存在于数据库中，或该行已经通过了到期，那么这一行动可能代替present用户提供了一个按钮来启动一个新的复位请求，并用新的GUID发送电子邮件。请记住，使得该按钮POST请求！

• Define a table AccountReset with fields: reset_id (GUID primary key), account_id (reference to Accounts.account_id), and expiration (timestamp).
• Implement an action called AccountController::resetAction(), i.e. in the same controller you use for creating accounts, logging in, changing passwords, etc.
• When a user chooses to reset his account, insert a new row in an AccountReset table with a new GUID, a reference to the user's account, and an expiration 30 minutes or so in the future.
• Send an email to the address on file for that user, including an URL he should click on: "https.../account/reset/reset_id/<GUID>" (if you're clever with routing rules, you can shorten that URL, but keep the GUID in it).
• When AccountController::resetAction() receives the request, it looks up its reset_id param in the AccountReset table. If that GUID exists and the expiration time has not passed, present the user with a form to change his password (without requiring he is authenticated and logged in).
• If resetAction() receives a request with no GUID, or the GUID doesn't exist in the database, or that row has passed its expiration, then this action may instead present the user with a button to initiate a new reset request, and send an email with a new GUID. Remember to make this button a POST request!

由于GUID是沟通只在电子邮件的地址为该用户，没有人可以进入更改密码。即使用户的电子邮件被拦截，这里只有一个有限的时间内GUID将授予该访问。

Because the GUID is communicated only in email to the address for that user, no one else can gain access to change the password. Even if the user's email gets intercepted, there's only a limited time the GUID would grant that access.

如果你想更加谨慎，你可以记在 AccountReset 表中的客户端的IP地址，并要求密码从客户端来改变与相同的IP地址，有30分钟的窗口内。

If you want to be even more cautious, you could make note of the client IP address in the AccountReset table, and require the password be changed from a client with the same IP address, within that 30 minute window.

这是唯一现成的，袖口，我还没有实现它或评价它适当的安全。如果你是负责执行的安全性，这是你的职责，在安全问题上读了。 PHP的安全性的广泛关注资源是 http://phpsecurity.org/ 。

This is only off-the-cuff, and I haven't implemented it or evaluated it for proper security. If you are responsible for implementing security, it's your duty to read up on security issues. A well-regarded resource for PHP security is http://phpsecurity.org/.

这篇关于如何生成随机密码，或临时的URL，Zend框架重置密码？的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！