NetTalk Central

NetTalk Web Server => Web Server - Ask For Help => Topic started by: jking on April 30, 2018, 11:24:01 AM

Title: NT 10.19, conditionally force user to change password
Post by: jking on April 30, 2018, 11:24:01 AM

I have a procedure that a user can call from a menu, to change manually their password.  I want to force this procedure to run, after login, if the password is more than 90 days old, or a newly created account.  I have date fields and a password change flag in my user.tps file, that can be used for the condition.  However, I'm unsure of how to code for this.  Can anyone offer some suggestions?

Thanks,

Jeff King

Title: Re: NT 10.19, conditionally force user to change password
Post by: Richard I on April 30, 2018, 05:16:32 PM

Hi there,
I would attempt to do this by....
I would set session values for the  fields in the user TPS file
and access them by in the Validate Update after 2 END embed in the login form

SET(User)
Access:User.usefile
User:RecordID = 1
IF access:user.tryfetch(userbykeyreciordID) = level:benign and p_web.Gstvalue('hash') = p_web.GSV('hash')
locdate = p_web.SetSessionValue('ChangeDate',CLIP(USER.date))

!!ETC with other user fields you might need
END

and then simply code it...

IF today () >  locdate +90    !!!( OR IF Today() > p_web.GSV('Changedate') +90)
user:password = locnewpassword ( just a local field on a p_web)
locdate = today()
Access:User.TRYUpdate()
ELSE
END

Try that.
Cheers
Richard

Title: Re: NT 10.19, conditionally force user to change password
Post by: Richard I on April 30, 2018, 05:20:40 PM

Sorry, My typing is abysmal
user:password = locnewpassword ( just a local field on a p_web)

Should read..

user:password = locnewpassword ( just a local field NOT a p_web)

Title: Re: NT 10.19, conditionally force user to change password
Post by: jking on April 30, 2018, 07:34:49 PM

Richard,

     Thanks for the response.  I already have a form procedure called UserChangePassword (called as a pop-up) that allows the user to change their password manually.  It is called from a menu item and requires the user to enter the current password in order to set the new password.  This does all the things you mentioned and more. 
     In my users.tps file, I have various date and time fields set when the account is first created and changed, a ForcePasswordChange flag, as well as a hash of the password.  I now want to call this form procedure automatically, after checking dates or the ForcePasswordChange flag. 
     As an example, in my login procedure, I have coded the following:

     If ForcePasswordChange = 1
           UserChangePassword(p_web)
     END

The UserChangePassword form is called, but it does not update the users.tps file as expected...the newly entered password is not saved.  I suspect I'm not calling the UserChangePassword form correctly.  This is where I need help.

Thanks,

Jeff King

Title: Re: NT 10.19, conditionally force user to change password
Post by: bshields on April 30, 2018, 11:30:43 PM

Hi Jeff,

You are correct, you cannot just call the Update screen via a procedure call. It requires specific fields on the URL (eg in SetValues).

But you also want it to be a popup, so its a bit more involved.

In the ValidateAll embed point add:

lbidv = p_web.AddBrowseValue(lParentBrowse,lFile,lKey)
p_web.Script('ntd.push('''&CLIP(lProcedure)&''','''','''&CLIP(lTitle)&''',1,'&lAction&',null,'''&CLIP(lCalledFrom)&''','''&CLIP(lbidv)&''','''&CLIP(lParams)&''');')

In the Popup embed point add (as its at login, you might need to add it to your pageheader procedure):

lProcedure(p_web,Net:Web:Popup)


Where

lParentBrowse your nearest browse (for login use your main window)
lFile is you user file
lKey is your unique user key
lProcedure is the procedure name of your change
lTitle is the text title of the popup window
lAction is 2 for change and 1 for insert
lCalledFrom is the procedure you are calling from
lbidv is the special code needed when in change mode
lParams is any extra URL style parameters you want to pass


Explanation

Some of this may be very obvious, so please ignore.

p_web.Script places javascript into the ajax response once the login is complete (its a great way to control program flow after a window end/closes)

ntd.push is NTs internal javascript for opening a popup window.

lProcedure(p_web,Net:Web:Popup) places the "ajax stub" into the page to allow a popup window to work.

p_web.AddBrowseValue generates the obsticated sysid that the udpate process need to find the record in question.

Hope that helps.

Regards
Bill

Title: Re: NT 10.19, conditionally force user to change password
Post by: jking on May 02, 2018, 05:48:38 PM

Bill,

Would this be simpler if it was not a pop up window?  How would your example change in this case?

Thanks,

Jeff

Title: Re: NT 10.19, conditionally force user to change password
Post by: bshields on May 02, 2018, 08:06:28 PM

Hi Jeff,

Yes, much simpler.

I'd put this in the end of ValidateAll embed:

p_web.Script('window.location=''/PasswordChangeForm?change_btn=change&_bidv_='&p_web.AddBrowseValue('Dashboard','UserFile',Use:SysKey)&''';')

Where Dashboard is your main screen, userfile and use:syskey are the file and key of the file with the password.

Regards
Bill

Title: Re: NT 10.19, conditionally force user to change password
Post by: Bruce on May 02, 2018, 10:43:38 PM

Hi Jeff,

Why do you want to make your security weaker by forcing password changes? Just curious...

https://www.wired.com/2016/03/want-safer-passwords-dont-change-often/
https://www.ftc.gov/news-events/blogs/techftc/2016/03/time-rethink-mandatory-password-changes
https://security.stackexchange.com/questions/4704/how-does-changing-your-password-every-90-days-increase-security

cheers
Bruce