Security QA for Forgotten Password

Last modified by bloggleme on Fri, June 25, 2010 09:49
Source|Old Revisions  

This is an old revision of the document!

Have you ever noticed that some websites require you to supply them with a security question and answer for your account? If you forget your password, you are required to provide those credentials in order to retrieve a new password. This protects customer information and ensures that the original creator of the account will always have a way of getting their account back (if their account had been hacked/stolen).

In this tutorial, I’m going to explain how to add those two fields to the registration page and require them to be provided on the forgot password page - where they the information will be validated.

Please open the following files, as we will be working with them: /app/code/core/Mage/Customer/controllers/AccountController.php - This controls all of the functions that we need to edit. /app/design/frontend/default/yourtheme/template/forgotpassword.phtml - This is the template file for the forgot password page. /app/design/frontend/default/yourtheme/template/customer/form/register.phtml - this is the template file for the register page.

Alright, first things first. We will start by adding the Security Question and Answer fields to the registration page. We will also have to create a new attribute for the two fields.

At the top of register.phtml, add the following code:

  1. <?php
  2. $setup = new Mage_Eav_Model_Entity_Setup('core_setup');
  3. // Set up the Security Question Attribute
  4. $AttrCode = 'squestion';
  5. $settings = array (
  6.     'position' => 1,
  7.     'is_required'=> 1
  8. );
  9. // Set up the Security Answer Attribute
  10. $AttrCode2 = 'sanswer';
  11. $settings2 = array (
  12.     'position' => 1,
  13.     'is_required'=> 1
  14. );
  15. // Adds both attributes
  16. $setup->addAttribute('1', $AttrCode, $settings);
  17. $setup->addAttribute('1', $AttrCode2, $settings2);
  18. ?>

Now, navigate your browser to By navigating to this page, you have executed the php code we just added to the register.phtml file. Your attributes are now added. Please remove or comment out the code we previously added to the register.phtml file (it is no longer needed).

In register.phtml, navigate near Line 58. You should see this line of code:

  1.         </ul>

Immediately after this line, add the following block of code:

  1. <br/><br/>Please type in your security question/answer for retrieving your password.<br/>
  2.     <ul>
  3.         <li>
  4.                 <div class="input-box">
  5.                     <label for="squestion"><?php echo $this->__('Security Question') ?> <span class="required">*</span></label><br />
  6.                     <select id="squestion" name="squestion" title="<?php echo $this->__('Security Question') ?>" class="required-entry validate-select">
  7.             <option value="What is the name of your dog?">What is the name of your dog?</option>
  8.                         <option value="What is the name of your favorite teacher?">What is the name of your favorite teacher?</option>
  9.             <option value="What is your maiden name?">What is your maiden name?</option>
  10.             <option value="In what city were you born?">In what city were you born?</option>
  11.             <option value="What is your favorite food?">What is your favorite food?</option>
  12.                     </select>
  13.                 </div>
  14.                 <div class="input-box">
  15.                     <label for="sanswer"><?php echo $this->__('Security Answer') ?> <span class="required">*</span></label><br />
  16.                     <input type="text" name="sanswer" id="sanswer" value="<?php echo $this->htmlEscape($this->getFormData()->getSecurityAnswer()) ?>" title="<?php echo $this->__('Security Answer') ?>" class="required-entry input-text" />
  17.                 </div>
  18.             </li>
  19.         </ul>