Symphony.

oh! great thank you! I didn't noticed the redirects because I was logged in symphony...

Today's project was my first experience of Symphony front end membership. It all works fine, so many thanks for a great extension. The bit I haven't yet got working is the email integration for password resets. I know this crosses over with the other email-specific extensions, but it would be great to see a simple worked example of how to connect Members with Email Template Filter or Email Template Manager. Can anyone help with this as I am struggling to combine the two sets of instructions?

Thanks :-)

I can only speak for ETM, but most of the steps should be similar.

• In Symphony's preferences, configure the intended email gateway (suggested: SMTP);
• build a basic Email Template (plain text, static recipient = your own email address);
• upon saving, the Email Template Manager will automatically create an event filter;
• attach this event filter to your Members event;
• test if the email is sent when the event is triggered.

That was the easy part. :-) There are two things left:

Set a dynamic recipient. You will need a Member(s) datasource which outputs only the logged-in member. Use a datasource filter on the Member ID. You find the Member ID in the param pool. Once you have the member email and name in your page XML, use XPath to tell the Email template about the recipient data. If your Members datasource is called Member by ID, then you may use something like {/data/member-by-id/entry/name} <{/data/member-by-id/entry/email}> (or similar).

Add HTML content to your Email Template (if you like).

[EDIT]: You will have to include dynamic parts in your email as well, e.g. the recovery code (which you may get by including the password field in the datasource and using something similar to /data/member-by-id/entry/password/recovery-code). But as you see in the above description, my way of doing things is step by step...

Thanks Michael. Your instructions are clear as a bell and the email integration part is now wrapped up. I am now having problems with the password reset function though.

My password recovery form returns the following XML and sends an email to the requester.

    <reset>
    <section id="7" handle="members">Members</section>
    <entry id="26">
        <email hash="352ab16a29fa10f5a44265505833c14b">stuart@eyes-down.net</email>
        <first-name handle="stuart2">Stuart2</first-name>
        <password reset-requested="yes">
            <recovery-code>0ec6a9251be8c0527837e749bde22d130f5b769e</recovery-code>
            <expires time="13:54" weekday="4" expiry="1 hour">2011-06-09</expires>
        </password>
    </entry>
    </reset>

Once I receive my recovery code, I proceed to the password reset page which contains the following form and has the Members: Reset Password event attached to it.

<form method="post" action="{$root}/reset-password/?debug">
      <label>Email: <input name="fields[email]" type="text" value=""/></label>
      <label>Code: <input name="fields[password][recovery-code]" type="text" /></label>
      <label>Password: <input name="fields[password][password]" type="password" /></label>
      <label>Confirm Password: <input name="fields[password][confirm]" type="password" /></label>
      <input type="submit" name="action[members-reset-password]" value="Recover Account"/>
      <input type="hidden" name="redirect" value="{$root}/your-account/"/>
</form>

When I paste in the recovery code, my email address and a new password, I get the following XML:

    <events>
    <member-login-info logged-in="no" />
    <members-reset-password result="error">
        <password type="invalid" message="No recovery code found." label="Password" />
        <post-values>
            <email>stuart@eyes-down.net</email>
            <password>
                <recovery-code>0ec6a9251be8c0527837e749bde22d130f5b769e</recovery-code>
                <password>TestTest</password>
                <confirm>TestTest</confirm>
            </password>
        </post-values>
    </members-reset-password>
    </events>

Now I can't see how the recovery code can be wrong since I just took it straight from the XML (both forms are on ?debug). Can anyone suggest why this might be?

Everything looks perfect to me. Could it be that the recovery code has expired immediatley? Can you try a longer expiration time (like "one day")?

Thanks Michael. I tried this with no joy. In making the change I remembered that I had set a password salt. I did this a bit haphazardly and simply entered a random string... fbf4b3aead7f01ebfe080a2a548011b4

I wonder if perhaps there is a format or string length to the salt which I have missed? If so, is there any way back?

AFAIK, the salt has no influence on the recovery code. It is only used for the password hash which is saved to the database.

Can you look up the recovery code in the database using phpMyAdmin?

• Look for the field_id in sym_fields_memberpassword
• look into sym_entries_data_YOURFIELDID (with YOURFIELDID being the field_id); there should be:
  • a recovery-code
  • in the same line: reset set to yes
  • in the same line: expired set to a value in the future

Thanks Michael. I won't bore you with the details, but by doing as you suggested, I have realised that the event is working and the password is being reset.

In the browser however, rather than being logged in and redirected, I am then returned to the password reset form page but get a white screen with no HTML output. When I was working on this last week, the white screen behaviour was happening intermittently, which I took for a server issue. I now realise that it happens the first time I enter a correct code. If I try again, the white screen issue goes away, which I now know is because the recovery code no longer exists, and then event returns a fail message.

So the issue only arises when the event is successfully called. The issue goes away when I uncheck the "Automatically log the member in after changing their password" on the Members: Reset Password event, so it looks like it is this bit of functionality which is causing the problem. As this is not essential, I have disabled it.

Thanks for your help with this :-)

Maybe you could try and increase PHP memory? When I had white screen issues in the past, it was always a memory thingie.

Hey guys I have a weird problem with the extension, using the Integration branch and get the following error when I add a Username Field to a Section and Save:

You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near 'UNIQUE KEY `username` (`handle`) ) ENGINE=MyISAM' at line 9

The SQL looks like this:

CREATE TABLE IF NOT EXISTS `sym_entries_data_8` ( `id` int(11) unsigned NOT NULL auto_increment, `entry_id` int(11) unsigned NOT NULL, `value` varchar(255) default NULL, `handle` varchar(255) default NULL, PRIMARY KEY (`id`), KEY `entry_id` (`entry_id`), KEY `value` (`value`) UNIQUE KEY `username` (`handle`) ) ENGINE=MyISAM;

Any clues? Do I need to update symphony?

Cheers!

What version of MySQL are you using? Either your version is too old (doesn't support UNIQUE KEY, or there's a bug in that code. Perhaps there should be a comma before UNIQUE KEY?

I have 5.3 something, and yeah when I manually do an sql query and add the comma before the UNIQUE KEY it works... so is symphony doing this or the extension?

Thanks!

Its a bug on the integration branch, master should be unaffected. @stuartgpalmer i'll take a look sounds like there might be a bug lurking in there. Can you enable php errors to find out what the white screen actually is?

Great, thanks!

Would it be possible to have two different member sections?

Sorry for the question, but can anyone please explain me what is and how to use the password salt?!

Thanks

Would it be possible to have two different member sections?

Not just yet, it's on the cards though!

Sorry for the question, but can anyone please explain me what is and how to use the password salt?!

No need to be sorry. The password salt is set on Member: Password field creation (ie. the first time you add the field and save it to a section). The value of the salt is used to hash the member's passwords for additional security. You cannot edit the salt once it has been set.

@ChriZ That SQL issue has been resolved in this commit

I understand that it will give more security to the password, but i don't understand what 'hash the password' means.

What difference will do if i write aaaa or bbbb? Can you please give me an example of a hash and what will the result be?

So if your salt is 'foo' and the password is 'bar', these values are concatenated and then hashed with the SHA1 algorithm. The salt adds some randomness to the password so that it is more difficult/less likely to be susceptible to a rainbow table attack (in which an attacker just brute forces the login by running a dictionary of passwords through hashing algorithms hoping for a match)

As a developer, you don't have to do anything but add a Salt to your field. The extension takes care of the rest, ie. your users just enter 'bar', not 'foobar'.

Think of salt as your website's password. The user's password is mixed with the website's password before it is saved in the system. When a user enters their password to login, the system combines the user password with the salt and matches this against what's in the system for authentication.

Like the name suggests, salt is akin to adding extra flavour to your food in the same way that extra data is added to a user's password to scramble it some more.