Kryptronic Software Support Forum

zanart · 04-06-2026 14:19:04

Hi Nick

I have created One time login link mod as I get a few customer complaining they don't get the password reminder emails. Some email providers(BTINTERNET) have very high spam filters and users need to whitelist our address. Everything is working great and just wanted you to glance over what I done in case i've missed any major security issues.

User enter email address in online form.
New function checks address is valid and checks email exists in user table
Mail->check_address & Session->user_exists

If all good, a new Session->sessnewtoken is generated and saved to 3 new columns in user table - token, expiry and status. The is a separate token to any other kryptronic token format.
Email is generated which sends users email with link.
Link directs to new function which grabs the email address and token from base64 url ref.
Checks token matches the one in user table for user email, checks it hasn't been used before and checks it is less than 30 minutes old.

If all good, the 3 columns in user table are emptied and proceeds to login_postauth() with email/password parameters.
Website opens with user logged in and on correct namespace(checkout or account overview).

Works for all user account email addresses except Superuser or Admin, which I assume is in the code somewhere but not an issue.

I will probably add a 6 digit code fallback that will be sent via text to completely resolve issues with users not getting password reminder emails.

I could add more secure token generation but don't think it is necessary.

Thanks
Rob

webmaster · 04-07-2026 08:55:40

Dang. Want a job? Everything looks very good there. The only thing I'm seeing that's missing is probably just an oversight when typing up your summary. I assume you are changing the password for the account and sending that through login_postauth() if everything checks out. Which is good/fine. Just not noted in your summary.

zanart · 04-07-2026 09:26:10

Thanks Nick.
Is there any need to change the password? Looking at other big websites I use and who use this method, my password doesn't get changed as I can still login with email/password.
I'm just grabbing the password from userinfo and passing it in the params to login_postauth. Password is being passed to login_postauth() the same as it would in login_proc().

I've added Social logins today - google working perfect, facebook next. I will probably add Apple as it will sync well with Apple Pay, but need a developer(£99) licence/account first to even try it.

Google login checks if user exists and logs in, or creates a new account/password with lname/fname passed over from google.
Facebook should be straight forward as well.

webmaster · 04-08-2026 08:42:53

No, there's no need to change the password, but... You're passing a password to user_postauthcheck() which checks password strength, not that the password matches what's on the account. The password you're passing (if you're pulling it from the user's table) is a hashed version of the password. Under normal circumstances this would be whatever the user entered as the password (in their form data submission) as K9 doesn't know the real password. That hashed password should always exceed the password strength requirements, so that's why you're getting a valid result back from the user_postauthcheck() function. But in reality, you're sending in a hashed password, not the password. So be aware that through the whole process K9 is expecting that password to be the user entered password. That's why I assumed you were changing it so you had an actual unhashed password to pass around.

webmaster · 04-08-2026 08:43:39

If that doesn't make sense, I can explain it better. There's a lot going on in there in regards to logins, security, dev auth, etc. As you've seen.

zanart · 04-08-2026 09:25:50

In reality, i could bypass the password checks in login_postauth as they aren't relevant when logging in via a secure link.
Including the hashed password just means i don't need to add any hacks to the postauth process.

webmaster · 04-09-2026 08:48:50

This is true. The postauth check is pretty much just to be sure the password isn't expired and it's strong enough.

Kryptronic Software Support Forum

#1 04-06-2026 14:19:04

One time Login Link - Just Checking

#2 04-07-2026 08:55:40

Re: One time Login Link - Just Checking

#3 04-07-2026 09:26:10

Re: One time Login Link - Just Checking

#4 04-08-2026 08:42:53

Re: One time Login Link - Just Checking

#5 04-08-2026 08:43:39

Re: One time Login Link - Just Checking

#6 04-08-2026 09:25:50

Re: One time Login Link - Just Checking

#7 04-09-2026 08:48:50

Re: One time Login Link - Just Checking

Board footer