So I am creating a website that basically allows user to sign up using their facebook account/facebook connect and just a traditional sign up (username, password). Now currently my table looks like this:
uid, username, password, email
I was thinking of how can I change this table structure to incorporate the facebook account connect as it doesn't have any username or password in it, should I just store the email and leave the username and password blank? How do other sites that have such login structure save this information?
You'll really want to store the facebook_id as well, for which I recommend using a bigint.
You might also want to add a status column that indicates whether this user account was created via email address or facebook_id, so that at login time you know which to check. Alternately, you could just check the one that you have credentials for.
This is a fairly open ended question, and the answers depend on what your trying to accomplish, and the use cases you're trying to address. Some general thoughts/suggestions: You should also store the Facebook ID as a separate column. You can leave the username blank, as the Facebook ID can uniquely identify the user, or you can use the email as the username. If you use only Facebook connect, you don't need the password since you can use the JS SDK to make sure the user has a valid Facebook login session.
Related
Just want to ask if there is some way to add automatic email confirmation to vb.net website.
I want that user create new account in the website and the website sent the confirmation link to them. Only if the confirmation email is clicked the user will be able to fully register.
I know that there are ways with build in login page from vb. But I'm using my own login. Mainly becouse the database where user connect is MySql.
something like this: http://www.asp.net/web-forms/videos/authentication/implement-the-registration-verification-pattern
Any idea where to look? most of the google search links are with php or to Microsoft Sql.
Thanks in advance for any good link or solution.
Petr
basically, when an user registers the account, you generate a confirmation # (I will use GUID), then send the user an email with the confirmation link. the confirmation link is the url of the confirmation page with the confirmation # as parameter, i.e. www.mysite.com/confirmation.aspx?code={guid} . you save the confirmation code in the database with the user account table (it could be in the same table or a separated table). the user has to click the confirmation url to confirm. when confirm, you just need to check whether the code is the same as the Guid in the database.
Basically, the process is the same and it has no much relation with mySQL or SQL Server.
here is an example, although it is C#, the same process, just a little bit different syntax in code:
http://www.webreference.com/programming/asp_net/registration-confirmation-system/index.html
also
asp.net confirmation mail send link that contains a unique identifier
I've been looking into storing user passwords in mysql and the ubiquitous reply is to store it using an encryption algorithm like MD5 or SHA1. But what if user x forgets her password and wants it to be sent to her? What then? I can't send her the md5 hash! How is this issue dealt with in the real world. Are there two databases? One to compare hashes and another for forgotten passwords? But what's the difference, both would be read-only by the sql user connecting to it at that time. So how do you do it? Thanks!!
It's pretty standard security practice to never send users their password. Instead, you offer a password reset utility that is tied to their ability to access their e-mail account, and/or ability to answer question about their profile (like a security question or what postal code they live in).
Functionality Outline:
User clicks "forgot password link"
User enters security challenge information (e-mail address, security question if desired)
System sends password reset e-mail with auto-generated link (with generated GUID in a querystring for instance)
System creates a password reset record containing the reset GUID, what user it is for, and when the key will time out.
User retrieves e-mail, clicks on link.
System matches GUID, deletes password reset record, sends user to password reset page.
The best solution is to send the user a link where they can enter a new password without having to enter the forgotten one.
This link should only work once and it should work only for a few hours.
Don't create a new password and send that by mail; users will feel tempted to use that password (ignoring the fact that is has been transmitted over an insecure channel).
You are correct that passwords should not be stored in plain text (they should be hashed) and therefore cannot be delivered to users who have forgotten their password.
Essentially, what you desire is a way to circumvent your normal authentication scheme and you should first be aware that such a mechanism is a back door to the application.
Very often an assumption is made that only the desired user can access emails sent to the email address registered with your application. It is on this assumption that the 'standard' password reset mechanism is based. Here's my take on that:
The forgotten password page is requested and the user is asked to enter their registered email address into a form which they then submit
The receiving code checks that the submitted email address is indeed registered and if it is:
delete any existing password reset tokens for this address from the appropriate storage
generate and store a new password reset token for this address
send an email to the user which informs them that
'someone' has requested a password reset
to click the link if they do indeed wish to reset
to ignore the email if they did not request a reset
respond to the form submission with a page which says something along the lines of "if the address submitted was registered then a reset email has been sent"
If the submitted address was not one registered with the application then do nothing but respond to the submission with a page which says something along the lines of "if the address submitted was registered then a reset email has been sent" - just the same as if the address was a valid one (this is to make it more difficult for someone to discover email addresses registered with the application)
The user then receives the forgotten password email and clicks the link within it. The link delivers the password reset token to the application.
Upon receipt of a password reset token, the code checks that the token exists in storage and that it has not yet expired. If these hold true, then you assume that it must be the registered user who submitted the token and you can allow them to set a new password (a simple form with password and password confirmation inputs and a submit button and which contains zero personal information - not even their name).
Once the password has been set, you can direct the user to the login page where they enter their credentials as normal.
This isn't a perfect scheme. It's a trade-off between security and convenience and make no mistake that it constitutes a back door to the application. For low value applications it is usually good enough.
Further reading:
https://www.owasp.org/index.php/Forgot_Password_Cheat_Sheet
Forgot Password: what is the best method of implementing a forgot password function?
Why is "Forgotten Password" bad?
I am creating an iOS App which the user will be able to login to via his account with our website (internal), or via Facebook or Twitter.
What I would like to know is how should I manage the database in order to verify his Facebook / Twitter account with his internal account on my website?
I.e When the user logs in via his internal account, I just run a simple authentication check to see if his username and password are valid. However with Facebook and Twitter, I obviously can't do this as I don't have access to the user's password.
Thanks in advanced.
my suggestion is that you would create a new table for each of the login types and connect it to your users/members table.
for example - for facebook login you would have a facebook_users table to hold the user's data (such as name, pic and most important - fbid)
than add a column named facebook_user_id to your existing members table.
in order to get the logged user from facebook you don't need to access his password... you should use the Facebook JS SDK and specifically the FB.getLoginStatus and FB.login function...
offcourse my suggestion is only one of many applicable ways to accomplish the task
Save fbid instead of fb-login user_name (you can keep both) of the user in your internal login table - A unique mapping exists (I'm sure something similar exists for twitter as well). Why do you need fb password for it?
Moreover, you run the check on internal table to authenticate user account, but when using login from fb or twitter, isn't the user already authenticated?
I'm busy to enable login stuff via facebook oauth on my website, but the only thing I want to get is the email of the user.
I saw in dev docs the 'scope=email' but, it seem's mandatory for the user to allow access to anything about him.
is there's a way to ask him to grant access only on his email ?
No. The bare minimum that your app will request from the user is his Basic Information, followed by your extended permissions (in your case, his email address).
nope. email is a so called extended permission. so you have to get the basic set of data of the user. (like: name, fbid, gender, locale).
I am trying to implement a simple login system with facebook, but I need users to pick a username. What I was thinking was to get all the information I need from facebook, request permissions, then add the information to the database, redirect to a form asking for a username and then add that to the database, to the same entry.
I think a transaction is needed so I don't end up with any half completed database entries. But I've only ever used them on the same page, so I'm wondering if this is safe? If it fails then there is no point where I would be telling the database to roll back the changes and it would be with a transaction open.
Is this right or will it be ok?
I think you made it more complicated than it should be :)
No need to enter facebook id into database before username as you can always grab it later.
Forward user to login screen (or better just open login popup using javascript FB API)
Once user is logged in forward them to username picking page (or better do javascript popup without page redirect)
When user is entered username request the current user id from facebook on server side (by either using graph api or fql) and then if everything is ok enter this record to database.