03-19-2017, 11:46 PM
Alright,
So I built this, and scrapped it. It worked well, but was hard to maintain when making new pages. It was even harder to take out of my system lol, gave me a reason to fully convert to PDO tho, which is good! I have a new idea though. Have a space in the admin panel to generate a "master password", valid for only 60 minutes, in which after the 60 minutes, an auto-cron (which I can make myself) will just make a new one.
My thought is this:
-The auto cron will change it every 60 minutes so nobody can ever know what it is
-When the Admin wants to obtain the master password, they enter the admin panel, and just generate a new one, in which case when you press the button, the system will provide you a plain text master password
-They can use this master password to enter any account (this feature will only be open to System Admins, so I don't need to worry about them breaking stuff or giving themself extra access, etc)
-They will use it by going to the login page, entering the username and using the Master Password
I need to know the following:
During the login process, how can I have the DB first check for the users password and determine:
1) if valid - continue
2) if invalid - move to next
Check the Master Password
1) if valid - continue
2) if invalid - return the "password invalid blah blah" error
I would obviously want to hash the password the same as users password, as I would want it hashed in the DB so it can't be retrieved, what do I need to do to accomplish this?
Your help is GREATLY appreciated
So I built this, and scrapped it. It worked well, but was hard to maintain when making new pages. It was even harder to take out of my system lol, gave me a reason to fully convert to PDO tho, which is good! I have a new idea though. Have a space in the admin panel to generate a "master password", valid for only 60 minutes, in which after the 60 minutes, an auto-cron (which I can make myself) will just make a new one.
My thought is this:
-The auto cron will change it every 60 minutes so nobody can ever know what it is
-When the Admin wants to obtain the master password, they enter the admin panel, and just generate a new one, in which case when you press the button, the system will provide you a plain text master password
-They can use this master password to enter any account (this feature will only be open to System Admins, so I don't need to worry about them breaking stuff or giving themself extra access, etc)
-They will use it by going to the login page, entering the username and using the Master Password
I need to know the following:
During the login process, how can I have the DB first check for the users password and determine:
1) if valid - continue
2) if invalid - move to next
Check the Master Password
1) if valid - continue
2) if invalid - return the "password invalid blah blah" error
I would obviously want to hash the password the same as users password, as I would want it hashed in the DB so it can't be retrieved, what do I need to do to accomplish this?
Your help is GREATLY appreciated