| Welcome, Guest |
You have to register before you can post on our site.
|
| Online Users |
There are currently 670 online users.
» 0 Member(s) | 668 Guest(s)
Bing, Google
|
| Latest Threads |
UserSpice Alpha Testing a...
Forum: News Center
Last Post: ivinsons
11-08-2024, 06:13 PM
» Replies: 13
» Views: 42,475
|
UserSpice 4.4 Development
Forum: News Center
Last Post: Amelie12
09-21-2024, 12:23 PM
» Replies: 4
» Views: 15,199
|
Welcome to the new UserSp...
Forum: News Center
Last Post: ivinsons
08-25-2024, 07:39 AM
» Replies: 2
» Views: 27,918
|
How to use hasPerm
Forum: UserSpice 4.4
Last Post: mudmin
07-20-2019, 02:45 PM
» Replies: 1
» Views: 13,755
|
Session issue? What I sho...
Forum: UserSpice 4.4
Last Post: Parth
07-17-2019, 05:06 PM
» Replies: 4
» Views: 14,502
|
Email Error
Forum: UserSpice 4.4
Last Post: Brandin
07-17-2019, 04:47 PM
» Replies: 1
» Views: 6,623
|
{ Missing Text } after up...
Forum: UserSpice 4.4
Last Post: Brandin
07-16-2019, 04:23 PM
» Replies: 22
» Views: 53,638
|
Best Practice Info
Forum: New to UserSpice?
Last Post: Brandin
07-16-2019, 11:55 AM
» Replies: 1
» Views: 13,490
|
Force to use 2FA -always-
Forum: UserSpice 4.4
Last Post: Brandin
07-12-2019, 12:43 PM
» Replies: 1
» Views: 6,636
|
e-mail not verifying
Forum: UserSpice 4.4
Last Post: LBC
07-10-2019, 11:34 AM
» Replies: 31
» Views: 76,232
|
|
|
| How to automatically login in new accounts? |
|
Posted by: radke - 11-09-2017, 06:31 PM - Forum: UserSpice 4.3 and Below
- Replies (3)
|
 |
Wondering if someone more experienced (that's just about everyone) can point me in the right direction here.
For my needs I disabled email verification of new accounts. So when a new account is created it would be great to just automatically login that user, bypassing login.php.
I feel like this post put me on the right path with passing the username/pass via $_Post to login.php but I can't quite seem to get it to work.
Can anyone help me out with this?
Also, maybe this would would be a good thing to add as an option in UserSpice? This seems like something most people would want if they don't want email verification.
Thanks!!
|
|
|
|
| redirect |
|
Posted by: matt - 11-08-2017, 08:05 AM - Forum: UserSpice 4.3 and Below
- Replies (5)
|
 |
How would you redirect certain users to page on login?
I know there is a custom login script but not sure what to add??
Regards
Matt
|
|
|
|
| Force https on login.php |
|
Posted by: haydentech - 11-06-2017, 08:11 PM - Forum: UserSpice 4.3 and Below
- Replies (3)
|
 |
I saw that there is a Force HTTPS setting in the admin settings. I don't necessarily want my entire site served via HTTPS, but I do want the login page to require it. Is there any way to force just the login page to use HTTPS?
|
|
|
|
| danger: us4.2, us4.3 hackable easly |
|
Posted by: SavageStyle - 11-05-2017, 02:50 PM - Forum: UserSpice 4.3 and Below
- Replies (3)
|
 |
I was testing email verification on my server, and found that userspice system can be easly hacked by knowing ONLY e-mail.
Just tested on lattest 4.3 beta. Any user that knows userspice code or any foreign hacker may easly hack system with just simply revealing hidden form on:
Code: http://localhost/us43/users/forgot_password_reset.php
So insert form code:
<div class="row">
<div class="col-xs-12">
<h2 class="text-center">Hello <?=$ruser->data()->fname;?>,</h2>
<p class="text-center">Please reset your password.</p>
<form action="forgot_password_reset.php?reset=1" method="post">
<?php if(!$errors=='') {?><div class="alert alert-danger"><?=display_errors($errors);?></div><?php } ?>
<div class="form-group">
<label for="password">New Password:</label>
<input type="password" name="password" value="" id="password" class="form-control">
</div>
<div class="form-group">
<label for="confirm">Confirm Password:</label>
<input type="password" name="confirm" value="" id="confirm" class="form-control">
</div>
<input type="hidden" name="csrf" value="d6ce184598d13738a7d4a86a562cc8fe">
<input type="hidden" name="email" value="userspicephp@gmail.com">
<input type="hidden" name="vericode" value="">
<input type="submit" name="resetPassword" value="Reset" class="btn btn-primary">
</form>
<br />
fill data in form:
<input type="hidden" name="csrf" value="d6ce184598d13738a7d4a86a562cc8fe"> - get this on registration page
<input type="hidden" name="email" value="userspicephp@gmail.com"> - default e-mail, if you know admin e-mail, thats it
<input type="hidden" name="vericode" value=""> - VERICODE IGNORED
<input type="submit" name="resetPassword" value="Reset" class="btn btn-primary">
- now you can use this form to reset administrator's password.
1) csrf token is useless in this case and can be copied from registration page
2) Vericode is completely ignored - add check!
3) Vericode is extremely short and unsecure! - this means even if you add vericode check for this form it still will be easly hackable with script! (you will need less than 1 second to guess vericode with bruteforce) and than it's done
you just need to setup this url:
Code: http://localhost/users/forgot_password_reset.php?email=userspicephp{3bc1fe685386cc4c3ab89a3f76566d8931e181ad17f08aed9ad73b30bf28114d}40gmail.com&vericode=<strong>0</strong>&reset=1
My suggestions:
vericode should be like a token, make it LONG
That's how i craft my vericode (example):
<pre>Code: public static function getVericode(){
return bin2hex(random_bytes(32));
}
Make sure you generate new vericode on every action like:
password reset, verify email, user creation etc
so new solid verycode before every action, so on password reset you generate NEW vericode, store it in db and send it - that should be done when user press "reset" button
This marks that you do not check userinput data. Keep in mind that user can put everything they want into html page, they can also craft any POST and GET request. Just need add solid validation to php.
Thanks!
|
|
|
|
| Slow redirect to Login.php |
|
Posted by: PeterAarts - 11-05-2017, 10:20 AM - Forum: UserSpice 4.3 and Below
- Replies (4)
|
 |
Hi,
I wanted to redirect the users directly to the login-page. So I made the index.php (with custom content) a private page.
The redirect mechanism to the login page works but very slow, it takes almost 30 seconds.
What can I do to improve customer experience?
Peter
|
|
|
|
| Column Sum |
|
Posted by: matt - 11-01-2017, 11:03 AM - Forum: UserSpice 4.3 and Below
- Replies (2)
|
|
Im trying to add up the values of a single column but failing.....
<?php
$query = $db->query("SELECT SUM (sendout) from sendouts");
$count = $db->count();
echo $count;
var_dump($count);
?>
|
|
|
|
| New function |
|
Posted by: shoropio - 10-30-2017, 03:17 AM - Forum: Modifications and Hackery
- Replies (7)
|
 |
Enter fields in account.php and join.php as phone number and address for new users. But for already registered users that field is empty in account.php. It will be that you can help me with this, instead of leaving the blank space in the phone number appear a link "add phone number" to user_settings.php
|
|
|
|
| Update to 4.3 |
|
Posted by: Busy Tech - 10-29-2017, 11:35 AM - Forum: UserSpice 4.3 and Below
- Replies (3)
|
 |
I am glad I backed up my data,
I tried updateing from 4.2.11 to 4.3 how ever it didn't go as planned  I backed up files into another directory , then I uploaded the update then I went on /patchme.php and I got a 500 error plz help...
|
|
|
|
|
