Recitation Project / Assignment #6

Blowfish Hashing and Password Reset

Due: Monday March 27, 2017 - 11:55pm

See Addendum for updates.

This assigment is builds upon Assignment 5. Here is what you will be adding. You are required to make use of Blowfish Hashing technique instead of MD5. You will use the CSV file read and write capabilities of PHP to manage user information. In addition, you'll also implement password reset functionality to your site.

The Assignment is divided in two tasks given in detail as below.

For first task, You download Example 2 . This example has an implementation of PHP 5.5 password_hash and password_verify protocol and as well stores user’s information in the CSV file. You'll need to understand thoroughly as to how the code is organized and play with it until you've the full control of it. You will use the CSV file with three fields in it, which will be Username, password hash, and email. You will present form to get this information by using signup.php page, from which you will parse this data to user.csv file. Create 2 set of credential, one should be username "ct310", password "Segovia"(Note only store password hash value in csv file), email "nspatil@colostate.edu" (Please do not use this user for testing purposes as it spams My inbox, use other set for testing). Please sanitize and validate email with PHP Filters while parsing. Your login page will have appearance similar, like shown below.

In second task, you'll be adding "Forgot my password" (FMP) funtionality to the login page, upon click takes the user to the FMP page. Create a new page for FMP, that has a list of usernames from drop down and "Send Email" button. A user needs to select the login user name from the choices and clicks Send Email that triggers an email that contains a special URL to reset the password to the user using the email address on record in the CSV file (assuming CSV file is prepopulated with users). Example for sending email is at Slides 5 - 11 of Lecture 10. You'll generate a key (a random string of at least 32 characters, refer PHP Documentation) and append to the URL in this manner, "https://www.cs.colostate.edu/~youreid/yourdirectory/passwordreset.php?key=779a1dtdy8jdfg9bf09cv04e79507e13". This URL makes up content for the email. The key is added to a session variable as well to validate the user when they come back to the browser clicking through the URL from email. Therefore can only be recognized by a client connecting to the SAME session as that which generated the key. This restricts others getting into the password reset page without a valid identity.

The passwordreset.php is a page user lands as they come back to the browser, that will have a form for new password entry. The elements of the form are "Password", "Confirm Password" and a "Submit" button, upon submission stores the new password onto the CSV file and navigates user back to the login form. You need to take care of validating both fields to have same new password before redirecting. From here, user could login as usual with the new password.

Under no circumstances can a person modify the on-record email address through a browser. There must be both a unique username tied to an email address. Follow the model in Lec 15 that states if no users.csv exists a default one is constructed pre-populated with at least one user and email addresses. Students may use code from example to the greatest extent they find it helpful.

You will submit a single zip file "lastname.zip" with the required files. Submission will be through Canvas. Please host it on your CS account and provide the URL to your page as a comment during the Canvas submission. Keep this assignment URL separate from your previous assignments URL.

To do this assignment, please use a text editor and type all the necessary tags by hands. Please do not use any web development application to create your home page. Your work will be tested with Chrome on department machines.

Addendum (03-26-2017)

Please use email- "nspatil@colostate.edu" for ct310 user

Sign up part is optional, comment one extra set of credentials apart from ct310 user, during canvas submission.