Blowfish Hashing and Password Reset

Due: Monday March 28, 2016 - 11:55pm

See Addendum for updates.

This assigment builds on Assignment 4, requiring you to make use of Blowfish Hashing technique, CSV file read and write capabilities of PHP. In addition, you'll also implement password reset functionality to the site.

The Assignment spans over two weeks. Tasks for each week are given detailedly as below.

First week, you'll download Example 2 from Lecture 15. This example has an implementation of PHP 5.5 password_hash and password_verify protocol and as well stores users information in the CSV file. You'll need to understand thouroughly as to how the code is organized and play with it until you've the full control of it. You'll need to modify the CSV content to store your users' information (at least 2 users), including a user with first name as "CT310", last name as "User" and password hash as given in the image below. You'll also manually store the email addresses for all users in their corresponding record, which is now missing in the document. Email id for "CT310" user is "dasriniv@colostate.edu". Please do not use this user for testing purposes as it spams Darshan's inbox.

In week two, you'll be adding "Forgot my password" (FMP) funtionality to the login page, upon click takes the user to the FMP page. Create a new page for FMP, that has a list of usernames from drop down and "Send Email" button. A user needs to select the login user name from the choices and clicks Send Email that triggers an email that contains a special URL to reset the password to the user using the email address on record in the CSV file (assuming CSV file is prepopulated with users). Example for sending email is at Slides 5 - 11 of Lecture 9. You'll generate a key (a random string of at least 32 characters, refer PHP Documentation) and append to the URL in this manner, "https://www.cs.colostate.edu/~youreid/yourdirectory/passwordreset.php?key=779a1dtdy8jdfg9bf09cv04e79507e13". This URL makes up content for the email. The key is added to a session variable as well to validate the user when they come back to the browser clicking through the URL from email. Therefore can only be recognized by a client connecting to the SAME session as that which generated the key. This restricts others getting into the password reset page without a valid identity.

The passwordreset.php is a page user lands as they come back to the browser, that will have a form for new password entry. The elements of the form are "Password", "Confirm Password" and a "Submit" button, upon submission stores the new password onto the CSV file and navigates user back to the login form. You need to take care of validating both fields to have same new password before redirecting. From here, user could login as usual with the new password.

Under no circumstances can a person modify the on-record email address through a browser. There must be both a unique user name and tied to this name an email address. Follow the model in Lec 15 that states if no users.csv exists a default one is constructed pre-populated with at least two users and their email addresses. Students may use code from Lec 15 (with attribution please) to the greatest extent they find it helpful.

You will submit a single tar file "lastname.tar" with the required files. Submission will be through Canvas. Please host it on your CS account and provide the URL to your page as a comment during the Canvas submission.

To do this assignment, please use a text editor and type all the necessary tags by hands. Please do not use any web development application to create your home page. Your work will be tested with Chrome on department machines.

Addendum (last updated 2/29/2016)

No updates at this time.