Generate new password every 24 hours?

i have two questions
[1] are you going to be useing mysql data base
[2] and two are you really going to expire a password every 24hrs or have like a cookie so that it will no allow for auto logins after 24hr

Hi,
I dont think I need a MySql DB, but if it makes things easier or work better, I will.
Yes, I need to make sure that people cannot re-login after that period of time.

Can you help me, or at least point me in the right direction? :)

You can use .htpasswd and .htaccess if you just want to password protect a directory. No need for a db:

http://www.lightsphere.com/dev/htpass.html

If you want to change the password every 24 hours, you'll need to change the .htpasswd file manually and then post your users.

However, if you use a mysql database, and your host allows CRON JOBS, you can use cron to 'run' a php file which will change the password(s) held in a DB and mail your users. Cron Jobs aren't the simplest of things to implement, so contact your host for advice. Access is sometimes limited and you'll need to use SSH or telnet. Some hosts get a bit twitchy because cron jobs tend to take a lot of resources so if you're on a shared server, it could affect the performance of your 'neighbours'.

Cron jobs can 'run' any php file, so the limit of what they can do pretty much depends on what you want php to do.

Alternatively, you could create a password table, with various passwords for every day for the next couple of months (id,pwd,date). You could have a button on a page form that sends the password to the recipient (if they type in a valid email address kept in a db). However I don't think this is that secure and could annoy users by having to go to the site, then their e-mail account and then back to you.

Alternatively, you could create a password table, with various passwords for every day for the next couple of months (id,pwd,date). You could have a button on a page form that sends the password to the recipient (if they type in a valid email address kept in a db). However I don't think this is that secure and could annoy users by having to go to the site, then their e-mail account and then back to you.

Yes, I agree that could annoy users. I want it to be as hassle free as possible. I think your idea of using Cron Jobs with a PHP script is great. Would you know of a place where I could find code like that? Being a total PHP newbie, I really am not sure how to even start.

you can def do it with cron jobs and php one more question
is this for multiple users so when they are accepted as a user can they only use it for 24hrs then just that user gets kicked off ?-

Hitman,
Yes it is for multiple users. I however just want to have one password per day. This means all the users have the same username and password each day.

RE: cron job

Before you get your hopes up, see if you've got ssh or telnet access. If so, see your host's policy on setting up cron jobs. Don't p*** them off or they could kick you out!

The 'crontab' syntax is as follows (6 items):

minute hour day month day-of-week command-line-to-execute

possible values are: 0-59; 0-23; 1-31; 1-12; 0-7 (0 and 7 = Sun, 1 = Mon ....)

You can also use widcards (*) instead of values to indicate every value, e.g.

10 13 * * * = do it at 13:10 every day of every month regardless of day-of-week (Mon, Tue etc).

You can use slashes to mean 'step', e.g.

* */2 * * * = run every other hour

You can have more than one value for each field, e.g.

10 13 3,16 * * = run at 13:10 on the 3rd and the 16th of every month regardless of day-of-week.

Placing a value in 'day-of-week' in addition to the above will run the above AND every day-of-week, e.g.

10 13 3,16 * 3 (run as above AND every Wednesday)

A complete cron for a php file would look like this:

10 3 * * * wget http://www.mysite.com/myphpfile.php

IN order to place this 'schedule', you'll need to use crontab

First of all, create a crontab.txt file in Notepad (or similar ASCII text processor). Place the cron(s) into it, ensuring that each cron is on a separate line. Leave an empty line at the end (important).

Upload the file to your site via FTP.
From the ssh/telnet enter:

crontab crontab.txt

Check to see if your crons have been accepted by: crontab -l (small L)

You can remove crons with crontab -r Give it a go.

Ardav,
I contacted my host and now I have SSH permission. :) :)

If you don't mind taking a look at my script to see if it is any good... I am a total newbie at this and really have no background in PHP. I did test it and after fixing all the errors the page did come up blank in my browser. But before I continue, I would like to make sure that this part of my project is working correctly.

<?php

$link = mysql_connect("all","my","info");
if (!$link) {
die('I cannot connect to the database beacuse: ' . mysql_error());
}

$db_selected = mysql_select_db("db_tablename" , $link);
if (!$db_selected) {
die("Can't connect: " . mysql_error());
}


$random_row = mysql_query("SELECT * FROM tablename order by rand() limit 1");

return($random_row);

mysql_close();
 
$today = date("l, F j, Y");

$message = <<<ENDFORM
Here is the new code for $today.  Visit "http://www.mydomain.com" and log in.

...
ENDFORM;

$recipient1 = "me <email@domain.com>";
$recipient2 = "Me2 <email@domain.com>";

$subject = "The Code for $today";

$headers .= "To: $recipent1"."\r\n";
$headers .= "From: $recipient2"."\r\n";
$headers .= "Bcc: $recipient2, $recipient1"."\r\n";
$headers .= "Reply-To: $recipient2"."\r\n";
$headers .= "X-Mailer: PHP-Mailer";

mail( "$recipient1, $recipient2", $subject, $message, $headers);

?>

Thanks so much for all your help.

return($random_row);

will probably just halt the program.

Just put the info into a variable.

$today_pw = $random_row['pw'];

$message = "Here is the new password for {$today}.  Password = {$today_pw}. Visit "http://www.mydomain.com" and log in."

The only this is, you've got a random password from the db, but how will you know which record to check when the user tries to log in?

By the way, the reason that you have a blank screen is that you haven't echoed or printed anything to the screen. This is not necessary if the file is 'cronned', however, place some echoes for testing and then comment them out once you're ready to proceed.

Get back if still stuck.

The only this is, you've got a random password from the db, but how will you know which record to check when the user tries to log in?

You are absolutely right. That is my next obstacle. Is there a way to get my login script to work with my cronjob?

I've been working on the e-mail script. I have it emailing now, but for some reason there is no passcode in the email. Here is the part where the issue is coming from:

$random_row = mysql_query("SELECT * FROM table order by rand() limit 1");

$today_pw = $random_row;

$today = date("l, F j, Y");

$message = <<<ENDFORM
Here is the new password for {$today}.  Password = {$today_pw}. Visit "http://www.mydomain.com" and log in.

OK, with further thought about how I would actually match up the passwords, I believe that rand()limit 1 isnt the right thing to do in this case.

How about generating and overwriting one field with certain parameters as to what goes in the field?

How would one do something like that?

This is because your trying to pass an object (mysql result set) not an actual value. That's why I wrote this:

$today_pw = $random_row['pw'];

Where 'pw' is the name of your password field in the db table.

I wouldn't use rand() to generate a random password due to the randomness of it (obviously!). You could generate a random password every time the cron job runs, enter it into the db with an 'active date' field for the password. The password is then sent to the users.

For example, a random pw could be something like this:

$new_pw = md5('silly_new_salt' . time() . 'add_another_absurd_salt');
$active_date = date_format(mktime(0, 0, 0, date("m")  , date("d")+1, date("Y")),'Y-m-d');

This will give you a sufficiently unguessable 32-digit pw.

In the cronned php file:

1. Generate pw
2. Add this to the db along with the active date
3. Check to see added properly
4. Send pw in email
5. Check to see mail delivered
6. Send results (success or failure) to a log table, so that you can keep an eye on problems - e.g. pick up on a failed email delivery before you get some irate callers.

OK, I think that does it for me. Good luck.

Thanks Ardav for all your help! :)