stmllr.net

Enhanced password recovery for Frontend users in TYPO3 4.3

by on stmllr.net

Password recovery for frontend users before TYPO3 4.3 was poor and insecure. Passwords were sent by e-mail in plain text, the recovery form could be abused and revealed private information to public. While implementing the felogin sysext for a community website, I surprisingly found some fundamental changes in the recovery method in TYPO3 4.3.

In TYPO3 4.3, the password recovery method was refactored by Steffen Kamper and now looks much better than before. Let me demonstrate it step by step.

How does FE-user password recovery work?

1) Send your e-mail or username to recover the account password:

2) If the e-mail or username exists, you'll get a mail with a tokenized link to create a new password.

Check your e-mail account and open the link within the limited timeframe. The link has a token, which combines the timestamp and a hash to identify the request:

3) Enter the new password twice. There is a simple check for password lenght:

4) Finished. The new password has been saved to the database and you can proceed to login:

Problems I met

When trying the new recovery stuff, it first did not work. But after some debugging I found out, that some POST parameters were missing, because I used an outdated custom template file. If you use a custom template, make sure to update it accordingly.

Some further aspects

To configure the FE output and email text, have a look at the TypoScript of the extension with template analyzer. You could also override the content of the locallang files with TypoScript:

plugin.tx_felogin_pi1._LOCAL_LANG.[lang].label = text

Of course the password check could be enhanced by adding more complex checks. But anyway, felogin in 4.3 looks very good. The documentation claims that recovery also works with saltedpasswords sysext. That's great, because the FE-user stuff now looks much more secure than before. Salted password for TYPO3 are explained in a blog article by Marcus Krause. Unfortunately, the sr_feuser_register extension does not (yet) natively support saltedpasswords. But you can try the extension srfeuserregister_t3secsaltedpw from TER, which should work as a bridge.

Lessons learned

  • If you use custom template files, have a look for changes in the original files of new releases. In case of felogin, there have been major changes from 4.2 to 4.3. It was neccessary to update my custom template manually.
  • No matter how hard you try to follow the core changelog, there's always the chance to find a feature by surprise.

Tags