Confirm password on non vb pages
 

The ideas sound, just need help making it happen.

So ive created an external page and on this page as of now all i have is a confirm password box that i took from the modifypassword? template.

this is the content of ext.php
right now im just playing around with it, trying to make it actually confirm the password, i stole some code from profile.php and have removed some of it.

so whats it suppose to do?
well when the user confirms there password, i want it to redirect the user to one page. if the user gets the password wrong redirect them to another (possibly log them out also....for security reasons?... MAYBE)

oh and the content of my ext template:
as of right now im not getting any responce with this other than when you submit the input it adds the DO to the url "?do=confirmpassword" been messing about for a while now and cant seem to get it to do much more than that

Well, confirm password is the second password box, so the user has to enter the password twice to make sure they don't make a typo when changing their password. Is that what you're trying to do, or are you trying to verify the user's password?

What do you mean by "external", are you including global.php in your script?

when i say confirm password, i mean confirm the current password. as in a way to verify its you. like if you go to usercp and edit email / password the first box is current password. thats the only part im wanting to check.

and yes i include global, i guess its not really an external page its still a vb powered page. i used https://vborg.vbsupport.ru/showthread.php?t=62164 for that part.

so if i enter the correct current password, i get redirected to one page, else i get redirected to another.

I've been up and down profile.php, im pretty sure i have all i need i just cant seem to edit it correctly =/

and yes this will go along with the thing i posted last night but shhhh ;) lol

I think I understand what you want to do, but I'm not sure I follow the way you're trying to do this. I think what you'd want to do is look at how the regular login works, not the place where the password is changed. You want to make sure, for instance, that you're using the strike system or something similar, or else your new page will bypass that security and allow unlimited guesses.

but this wont be a login.

k im logged on to vBulletin.org, i leave (run to the store or something) while leaving vb.org open. any member of my household may it be a little brother, sister with a grudge, w/e see's I'm logged into my favorite forum and decides to go post happy with a bunch of nonsense. Resulting in me getting warnings/infractions/ or even banned. (note* i myself dont have this issue it's just an example lol)

so after 5 mins or so im sent to an idle page where im still logged in... but i have to confirm my password to get off that page.

--------------- Added [DATE]1424873477[/DATE] at [TIME]1424873477[/TIME] ---------------

and the only place in vb where you confirm your current password, is where you set a new one, thats why i went with that for a base.

but i can see where this gets vulnerable... whats to stop me from navigating from ext.php to index.php, no clue how to fix that one lol, one step at a time

--------------- Added [DATE]1424873798[/DATE] at [TIME]1424873798[/TIME] ---------------

you know what... this idea is kind of stupid when i think about it, it'd be much better to force logout the user than to just have them re enter their password.

im going to go back to getting the avatar even when their logged out. and i did put a better example in that thread

Oh, I see, I was wrong. "enter your present password". Yeah, that's a reasonable place to look. But it's different than the "confirm password" that's on the same page.

In profile.php, it's the section that starts with:
Anyway, if you have a password the user entered, say in $password for example (in profile.php it's in $vbulletin->GPC['currentpassword']), then you'd do something like:

But to complicate things, the vb code has javascript which does an md5 on the password so that it's not sent in clear text, except that the code has to work if someone has javascript disabled, so the code is a little complicated because it allows for either case. I don't know if you want to bother with that or not.

Regarding the strike system, I don't think you have to worry about that if you're only allowing your page to be executed by users who are already logged in.

so i tried passing that into the POST with no success

ext.php:
ext template (is same as OP)

Well, I only used $password as an example to make it clear what the code is doing. You need to get the value that's being submitted from your form and use that. You can use the vbulletin input cleaning system if you want. What's the name on the form <input> that has the password?

--------------- Added [DATE]1424876530[/DATE] at [TIME]1424876530[/TIME] ---------------

its all in the OP

OK, then for the password check part you'd want something like:

I haven't studied the overall approach so I can't say this is going to work, but the password checking part should be close to correct.

BTW, I used clean_array_gpc above even though it's cleaning only one input (there is a function to do a single input) because I figure you might have other fields to check. If not, it doesn't really hurt anything.

ive made some changes to the template:
im not sure if that original script was of any significance (i removed it):
and i cleaned up the ext.php:
the end result is still leaving me puzzled and only redirecting my URL to the POST:
no errors in console, nor any i am seeing =/

Oh, OK, the line that starts eval('print_output... is going to end the script (after outputting the template). You should probably move everything between require_once('./global.php'); and if ($_POST['do'] == 'confirmpassword'){ to the end of the script, since you don't need to output anything if the user gets redirected.

made no difference =/

Hmm...ok, I think you either need to make 'do' a hidden input field, or else change the 'if' in your script to check $_GET['do'] instead of POST.

AND THE _GET won it lol, i only didnt even bother trying that cause _GET is depricated code, I was trying 10000000 different things along with your suggestions along the way, but i guess since this is all older code it makes since that worked =)

just when i was going to tell you to click the 2nd URL in my sig too lol, shows you my screen ;)

--------------- Added [DATE]1424879932[/DATE] at [TIME]1424879932[/TIME] ---------------

but now that it works, i cant help but realize how vulnerable it is. Like i said before whats to stop me from just navigating to another directory =/

--------------- Added [DATE]1424880091[/DATE] at [TIME]1424880091[/TIME] ---------------

also, thank you kevin again. you've helped me out quite a bit lately and i truly appreciate it

Is it deprecated? I don't keep up on that stuff, but after I read your post I googled it and didn't find anything about that. I did find some mention of having all those globals deprecated in php 6. In any case, like I mentioned above you could use <input type="hidden" name="do" value="confirmpassword"> in your form, then go back to checking $_POST['do'].

I was wondering about that. You'd need something to check on every page if they are 'idle'. Maybe you could save that in the database somewhere (like add a column to the session table) and put some code on one of the global hooks to check it. But I've only thought about it for like 30 seconds, so I'm not sure.

http://php.net/manual/en/reserved.variables.get.php i read that wrong (my bad) lol

and wouldnt local storage or a cookie work for keeping them on that page (redirect to that page no matter what) untill the password was confirmed?

or would it have to be sql based?

--------------- Added [DATE]1424881325[/DATE] at [TIME]1424881325[/TIME] ---------------

and i have an idle timer i created for this already, would it be possible to modify table (0,1 maybe) using this timer
the timer would set the table to 1 and entering the password back to 0?

--------------- Added [DATE]1424881481[/DATE] at [TIME]1424881481[/TIME] ---------------

i think im on to something with this http://www.9lessons.info/2011/03/liv...-and-ajax.html

Oh, yeah, I can see how you could make that mistake.


You could use a cookie, but people can disable cookies, or delete or fake the value of cookies, so it depends on how secure you need it to be.


You'd have to connect to the server when the timer ran out, to a script that did whatever you needed to do to put them in idle mode (unless you go the cookie route, in which case I believe you can write one with js). You could just load a new page when the timer ran out, I think that's easy enough to do.

i think im going to go the sql route, this isnt a product for me personally, just some extra security to add to your forum.

It's a little scary route cause im a beginner in real PHP lol vB template php dont really count, and messing with tables is also new to me, although ive done a little before. but i think i can get most of it, and im sure what i cant figure out i'll get resolved one way or another, got this great community and that one Kevin guy who's pretty awesome =)

Why don't you just log the user out of the forum after X amount of time?

right lol, wouldnt that be so much easier! i did think of that, but it comes down to i had the idea... now it just has to be made. More of a personal satisfaction kind of thing, and i think it will in the end make a pretty good product, even though in a sence all it will be doing is logging out the user, not in the typical way but locking down their account untill their password is confirmed.

and its a good learning process, never hurts to new learn new things and no matter what project i take on i always learn something =)

--------------- Added [DATE]1424883575[/DATE] at [TIME]1424883575[/TIME] ---------------

kev you think
would be the way to go with this?

im not sure how to set a default value, it would only need to be 1 (on) 2 (off) right?