Figure 6-6: Flow diagram of the forgotten-password recovery application.
Start
End
No
Yes
Yes
Yes
Step = 1?
Does email
address belong
to a user?
Get email address
Is the
request_checksum
valid?
Is password
OK?
Get new password from user
Store encrypted password
Send email to user with an
URL that contains:
user_id
request_checksum
step = 2
196 Part II: Developing Intranet Solutions
09 549669 ch06.qxd 4/4/03 9:24 AM Page 196
Implementing the forgotten-password recovery
application
The forgotten-password recovery application implements the methods:
◆
resetPasswordDriver(): This method uses the global form variable,

$step, to determine phases of the forgotten password recovery process.
The tasks performed by this method are as follows:
1. When $step is unset, the first step in the process is assumed and the
user is provided an interface to enter her username (EMAIL) address.
2. When the user has entered the username, the interface supplies a new
value (2) for $step, which is embedded as a hidden field within the
HTML form displayed in the first step.
3. In the second step, the method calls sendEmail() to send an e-mail to
the user with a link that enables her to return to this application and
enter the third step.
4. When the user clicks on the e-mailed link, a user interface that enables
the user to change her password is presented. Submitting the new pass-
word with the confirmation password makes the method enter the final
step.
5. In the final step, the method calls resetPassword() to reset the exist-
ing password with the newly entered password.
◆
resetPassword(): This method performs the actual task of resetting the
existing password to the newly entered password. It works as follows:
1. It uses getCheckSum() to calculate the checksum of the request, and
then compares it with the given checksum. If they don’t match, the
application shows an alert message and returns the user to the last
screen.
2. It uses checkPassword() to check the password for length and dummy
password issues.
3. It creates a two-character salt using two random characters, and then
encrypts the user-entered password, adding it to an associative array
called $hash.
Chapter 6: Central User Management System 197
09 549669 ch06.qxd 4/4/03 9:24 AM Page 197

4. It creates a User object, $userObj, and calls getUserInfo() to load the
user information.
5. It calls updateUser() with $hash as the parameter. updateUser()
performs the actual database operation of updating the password. It
only updates the password because $hash contains only the password
information.
6. It displays the appropriate success or failure status message.
◆
email(): This method is called by showScreen() to populate the e-mail
template, which becomes the HTML message sent to the user who is
requesting the change for a forgotten password. It works as follows:
1. It creates a User object, $userObj, and uses getUserIDByName() to
retrieve the user’s ID.
2. It returns FALSE if the user ID is not found.
Otherwise, it uses getCheckSum() to generate a checksum for the cur-
rent user ID.
3. It incorporates the checksum value in a URL along with the user ID and
step value set to 3.
4. It embeds the forgotten password application URL into the HTML tem-
plate by replacing the PASSWORD_URL tag with the URL value.
5. It returns TRUE status.
The following are other methods implemented in this application.
Method Description
run() Calls the resetPasswordDriver(), which is responsible
for managing the entire forgotten-password process.
sendEmail() Sends an e-mail link to the user, which she can use to return
to the forgotten password application to enter a new
password. The e-mail message is read as an HTML template,
which is processed by the
showScreen() method. The

showScreen() method calls the email() method to
create the actual message, which
sendEmail() method
sends to the user.
getCheckSum() Creates a checksum value using the user ID and a secret
random number loaded from the configuration file. The
checksum number is used to protect the e-mailed link from
being generated by an unfriendly user.
198 Part II: Developing Intranet Solutions
09 549669 ch06.qxd 4/4/03 9:24 AM Page 198
Method Description
checkPassword() Checks the user-entered password for length and
confirmation tests.
get_username() Called by showScreen() method when displaying the user
name entry interface as the first step in resetting the
forgotten password.
reset_pwd() Called by showScreen() method when displaying the
password entry interface as the third step in resetting the
forgotten password.
authorize() Because anyone can request to change her password, the
authorization method always returns TRUE.
Listing 6-7 shows the code for the forgotten-password recovery application.
Listing 6-7: usermngr_forgotten_pwd.php
<?php
// Turn on all error reporting
error_reporting(E_ALL);
// If you have installed framewirk directory in
// a different directory than
// %DocumentRoot%/framework, change the setting below.
$APP_FRAMEWORK_DIR=$_SERVER[‘DOCUMENT_ROOT’] . ‘/framework’;

$PEAR =$_SERVER[‘DOCUMENT_ROOT’] . ‘/pear’;
$PHPLIB =$_SERVER[‘DOCUMENT_ROOT’] . ‘/phplib’;
// Insert the path in the PHP include_path so that PHP
// looks for PEAR, PHPLIB and our application framework
// classes in these directories
ini_set( ‘include_path’, ‘:’ .
$PEAR . ‘:’ .
$PHPLIB . ‘:’ .
$APP_FRAMEWORK_DIR . ‘:’ .
ini_get(‘include_path’));
$AUTHENTICATION_URL = “/login/login.php”;
$LOGOUT_URL = “/logout/logout.php”;
Continued
Chapter 6: Central User Management System 199
09 549669 ch06.qxd 4/4/03 9:24 AM Page 199
Listing 6-7 (Continued)
$APP_MENU = ‘/home/home.php’;
$APPLICATION_NAME = ‘USER_MNGR’;
$XMAILER_ID = ‘Example User Manager Version 1.0’;
$DEFAULT_LANGUAGE = ‘US’;
$DEFAULT_DOMAIN = ‘example.com’;
$ROOT_PATH = $_SERVER[‘DOCUMENT_ROOT’];
$REL_ROOT_PATH = ‘/user_mngr’;
$REL_APP_PATH = $REL_ROOT_PATH . ‘/apps’;
$TEMPLATE_DIR = $ROOT_PATH . $REL_APP_PATH . ‘/templates’;
$CLASS_DIR = $ROOT_PATH . $REL_APP_PATH . ‘/class’;
$REL_TEMPLATE_DIR = $REL_APP_PATH . ‘/templates/’;
require_once “user_mngr.errors”;
require_once “user_mngr.messages”;
require_once ‘DB.php’;

require_once $APP_FRAMEWORK_DIR . ‘/’ . ‘constants.php’;
require_once $APP_FRAMEWORK_DIR . ‘/’ . $APPLICATION_CLASS;
require_once $APP_FRAMEWORK_DIR . ‘/’ . $ERROR_HANDLER_CLASS;
require_once $APP_FRAMEWORK_DIR . ‘/’ . $AUTHENTICATION_CLASS;
require_once $APP_FRAMEWORK_DIR . ‘/’ . $DBI_CLASS;
require_once $APP_FRAMEWORK_DIR . ‘/’ . $USER_CLASS;
require_once $TEMPLATE_CLASS;
$MIN_USERNAME_SIZE= 3;
$MIN_PASSWORD_SIZE= 3;
$DUMMY_PASSWD = ‘1234567890’;
$ROOT_USER = ‘’;
$SECRET = 916489;
$CHAR_SET = ‘charset=iso-8859-1’;
// Application names
$USERMNGR_MNGR = ‘user_mngr.php’;
$USERMNGR_FORGOTTEN_APP = ‘user_mngr_forgotten_pwd.php’;
$USERMNGR_CHANGE_PWD_APP = ‘user_mngr_passwd.php’;
/* START TABLE NAMES */
$APP_DB_URL = ‘mysql://root:foobar@localhost/auth’;
$AUTH_DB_TBL = ‘users’;
200 Part II: Developing Intranet Solutions
09 549669 ch06.qxd 4/4/03 9:24 AM Page 200