I have taken over support for a Drupal site, and need to change the registration process so that users enter their password when registering, rather than receiving an email with a system generated password. This should be as simple as un-checking the "Require e-mail verification when a visitor creates an account" check box, however, the password field does not appear. Unfortunately, the person who set up the site originally is not available.
I've checked the various modules we have to see if one of them is the cause, I've checked our theme/stylesheet, and confirmed that we did not change the user.module at all. I've tried installing LoginTobaggan.
I do know that Drupal knows that the box is not checked, as it sends out the email for no email verification required.
Any ideas on what could prevent the password field from appearing or other places I could check?
example.com/admin/user/settings
uncheck:
Require e-mail verification when a visitor creates an account
Related
I cannot sign in to Kentico client portal, keep seeing that username and password is not correct, when trying the forgotten password link it prompts me
no user found
"when trying to sign-up with same email address it prompts me
email already exist
It seems my account has been disabled ,but how can I enable it back ?
I've had this in the past when I first partnered with Kentico. Finally after several years I was tired of it and got it worked out by contacting Support at Kentico.com. They were able to direct me to the person who handles the different portals and was able to clean them up. Be sure to give them all the email addresses you are using.
When users in an MVC application with Google/Facebook/Twitter authentication, register for the first time, they go to the ExternalLoginConfirmation.cshtml page. There they are asked for their username, but are only allowed to fill in an email address, according to the ExternalLoginConfirmationViewModel model.
Is it set to email for a reason? In code it's creating a new applicationuser to store the user, but it's using just-entered-email for both username & email.
Can I go horribly wrong when I allow users to enter username of their choosing, and store email address as I got it from Google/Facebook/Twitter, etc?
I think the MVC5 registration flow is flawed by default, and needs to be reworked.
by trusting the default provider's emails (set email is auto confirmed from Google+, Yahoo, MS, and Facebook).
don't let the user enter an email+username, as he can register ANY email he enters in the box, straight to the AppUsers table.
MVC5 needs to create a User if not done so already at the ExternalLoginConfirmation method.
the default login password would be set to something blank, with links to reset it if needed (or totally disabled).
This would allow the users to register on any massively trusted providers automatically, it would link accounts together as long as their email is the same, and allow to unlink accounts once again.
The way MVC5 is setup right now is half-baked and broken, for no apparent reason.
On my site, a user enters his email when creating an account. After submitting the form, a new user row is created in db with the respective email. This row has inactive flag set to True. Next, an activation email is sent to the entered email address so that the user can activate his account and login afterwards using the email and password. There is unique constraint on email in db for login to work correctly.
The problem is that someone can use an email of another person, blocking that other person from ever registering on my site. There already is an (inactive) account with the email that the legit user tries to enter so new user row can't be created. I am not sure how to tackle this problem exactly. It probably has a good solution because the registration scheme I use is pretty standard.
From my view point, I have a solution like that:
When user register with the email. I will generate an unique key (may be user-id) that will attach into the link activate in the email content. When user click to activate account we will get that unique key to update to confirm from user. That solution will help you disable an user following user id instead of disable following the email which can be duplicate.
Hope this help.
U cannot find the person's mail id who misused other's mail id so its not possible to an extent.
You could delete the database entry with the email after some time, if the activation link has not been clicked. Depending on your operating system, you could use cron or systemd timers (Linux) or scheduled tasks (Windows) for that.
For example to execute a MySQL query from cron this question might be helpful.
I am trying to sort out a peculiar behavior when creating new users as a site Admin on our Dnn installation.
I have gone into the Admin > Site Settings > User Account Settings > Profile Settings and changed a few of the fields to Required (FirstName, LastName, Title, Address etc) with Required and Visible checked and Default Visibility set to 'AllUsers'.
I have a requirement of 'None' for the 'User Registration' type, meaning the site Admin must create all new users. I also have a requirement that the password for new users be created randomly, instead of being assigned by the site Admin.
When the user is created in this manner, an email is sent with instructions to choose the 'Reset Password' option (if first time user). This built in Dnn function asks for the new user name (supplied in the email) and then sends another email with a reset password link with a token.
We are doing this to remove any password knowledge from the site Admin.
The problem is that when new users finally set their password and gain access to the system they are not being forced to fill in the required profile settings the first time (when they choose their password). They are required to fill them out when they log in the second time (without going through the reset password process).
We would really like them to be forced to complete the Profile Settings the first time regardless of whether they are setting their password via the password reset token link.
Does anyone know why this is happening? Is there a workaround?
Thanks for any information!
The answer to this question can be found here:
https://dnntracker.atlassian.net/browse/DNN-4213
I'm developing a web app and currently I'm trying to decide whether or not to let my users to change their email.
If an account gets compromised the attacker only needs to change email and then reset password to gain complete control of the user account. However with no ability to change email address, the user can regain control and simply reset password to stop further rogue access to their account.
What do you think?
It is my opinion that user should be able to change all details associated with their person, including their e-mail address.
Minimum security measure should be: Ask the user to enter their password!:
E-mail changes should be handled with the same care as password changes:
Asking for their password would prevent somebody from changing the e-mail address for an already logged-in user; after changing the e-mail address, it is usually trivially easy to get a valid password for the account, effectively taking over the account completely.
E-mail confirmation scheme:
Added security measures can come in various ways, usually consisting of some sore of e-mail confirmation.
The difficulty with e-mail confirmation is that a common reason for users to change their current e-mail address is because they can no longer access it (changed jobs, changed providers, etc, etc).
A common scheme of e-mail change confirmation is the following:
Send an e-mail to the new address with an "confirm e-mail change" link (make sure it is a working e-mail address).
Uppon receiving the confirmation from the new address
Change the e-mail address.
Send an e-mail to the old e-mail address with the option to "Revoke e-mail change" link (this option should be valid for 30 days or so).
Extended security with e-mail confirmation:
For some high-risk accounts, you could only allow 'limited access' to the account for as long as the 'revocation period' is still active (the above mentioned 30 days or so).
In addition to the "Revoke e-mail change" link, you can provide a "Confirm e-mail change" link in the e-mail send to the old address. Clicking the link would make the change of address permanent, ending the revocation- and 'limited access' period immediately.
UPDATE
There seems to be some confusion about what is compromised if somebody is 'Logged in'.
There are quite some options for a fraudulent person to gain access to a logged-in account without knowing the password.
Consider for example the option where somebody simply walks away from the keyboard, or, has chosen to use some sort of 'remember me' functionality (either provided by the browser or by the website itself)
While this is bad, a well designed system would/should limit the damage by not allowing any account-damaging actions to happen without asking for the user's password again.
The prime example for this is:
Ask the user for his/her current password if they want to change it.
Send a confirmation email to the original email address requiring some confirmation action before making the change.
Retain the old e-mail address for a while, and allow it to be used to reset the password.
Only let authenticated (logged in) users change their email address. If the account is compromised then they already have complete control over it. Changing email address in this case should be the least of your worries! :)