NT 10.19, conditionally force user to change password

[jking]

I have a procedure that a user can call from a menu, to change manually their password.  I want to force this procedure to run, after login, if the password is more than 90 days old, or a newly created account.  I have date fields and a password change flag in my user.tps file, that can be used for the condition.  However, I'm unsure of how to code for this.  Can anyone offer some suggestions?

Thanks,

Jeff King

[Richard I]

Hi there,
I would attempt to do this by....
I would set session values for the  fields in the user TPS file
and access them by in the Validate Update after 2 END embed in the login form

SET(User)
Access:User.usefile
User:RecordID = 1
IF access:user.tryfetch(userbykeyreciordID) = level:benign and p_web.Gstvalue('hash') = p_web.GSV('hash')
locdate = p_web.SetSessionValue('ChangeDate',CLIP(USER.date))

!!ETC with other user fields you might need
END

and then simply code it...

IF today () >  locdate +90    !!!( OR IF Today() > p_web.GSV('Changedate') +90)
user:password = locnewpassword ( just a local field on a p_web)
locdate = today()
Access:User.TRYUpdate()
ELSE
END

Try that.
Cheers
Richard

[Richard I]

Sorry, My typing is abysmal
user:password = locnewpassword ( just a local field on a p_web)

Should read..

user:password = locnewpassword ( just a local field NOT a p_web)

[jking]

Richard,

     Thanks for the response.  I already have a form procedure called UserChangePassword (called as a pop-up) that allows the user to change their password manually.  It is called from a menu item and requires the user to enter the current password in order to set the new password.  This does all the things you mentioned and more. 
     In my users.tps file, I have various date and time fields set when the account is first created and changed, a ForcePasswordChange flag, as well as a hash of the password.  I now want to call this form procedure automatically, after checking dates or the ForcePasswordChange flag. 
     As an example, in my login procedure, I have coded the following:

     If ForcePasswordChange = 1
           UserChangePassword(p_web)
     END

The UserChangePassword form is called, but it does not update the users.tps file as expected...the newly entered password is not saved.  I suspect I'm not calling the UserChangePassword form correctly.  This is where I need help.

Thanks,

Jeff King

[bshields]

Hi Jeff,

You are correct, you cannot just call the Update screen via a procedure call. It requires specific fields on the URL (eg in SetValues).

But you also want it to be a popup, so its a bit more involved.

In the ValidateAll embed point add:

lbidv = p_web.AddBrowseValue(lParentBrowse,lFile,lKey)
p_web.Script('ntd.push('''&CLIP(lProcedure)&''','''','''&CLIP(lTitle)&''',1,'&lAction&',null,'''&CLIP(lCalledFrom)&''','''&CLIP(lbidv)&''','''&CLIP(lParams)&''');')

In the Popup embed point add (as its at login, you might need to add it to your pageheader procedure):

lProcedure(p_web,Net:Web:Popup)


Where

lParentBrowse your nearest browse (for login use your main window)
lFile is you user file
lKey is your unique user key
lProcedure is the procedure name of your change
lTitle is the text title of the popup window
lAction is 2 for change and 1 for insert
lCalledFrom is the procedure you are calling from
lbidv is the special code needed when in change mode
lParams is any extra URL style parameters you want to pass


Explanation

Some of this may be very obvious, so please ignore.

p_web.Script places javascript into the ajax response once the login is complete (its a great way to control program flow after a window end/closes)

ntd.push is NTs internal javascript for opening a popup window.

lProcedure(p_web,Net:Web:Popup) places the "ajax stub" into the page to allow a popup window to work.

p_web.AddBrowseValue generates the obsticated sysid that the udpate process need to find the record in question.

Hope that helps.

Regards
Bill

[jking]

Bill,

Would this be simpler if it was not a pop up window?  How would your example change in this case?

Thanks,

Jeff

[bshields]

Hi Jeff,

Yes, much simpler.

I'd put this in the end of ValidateAll embed:

p_web.Script('window.location=''/PasswordChangeForm?change_btn=change&_bidv_='&p_web.AddBrowseValue('Dashboard','UserFile',Use:SysKey)&''';')

Where Dashboard is your main screen, userfile and use:syskey are the file and key of the file with the password.

Regards
Bill

[Bruce]

Hi Jeff,

Why do you want to make your security weaker by forcing password changes? Just curious...

https://www.wired.com/2016/03/want-safer-passwords-dont-change-often/
https://www.ftc.gov/news-events/blogs/techftc/2016/03/time-rethink-mandatory-password-changes
https://security.stackexchange.com/questions/4704/how-does-changing-your-password-every-90-days-increase-security

cheers
Bruce