Forcing member to change password on first login

Hey Jerry

I think you're going about this the wrong way. A better solution would be to let them login and get to the normal referring page, then check there if first_time_login is checked and redirect to the reset password page at that point. Then once they reset their password, you can update the record, tick that box, and redirect back to the usual login landing page.

Thanks Claire,

Won't I still have the same redirect issue, just one page removed?

The member logs in, gets sent to a members only page and when I check to see if they are a first time login, they still will have to be redirected to the change password page.

I'd like them to then be automatically taken back to the referring members only page

BTW did you see my post about not being able to upload a file to the forum?

Jerry

Yeah, I saw. It might be because the extension is .php_attachment or something. I'll look into it.

Making it one page removed just means the logic is a little easier to handle. You know everyone who logs in will hit this one page, and it's then just a matter of always redirecting anyone who hasn't reset their password yet to the other page.

OK, I'll give it a go, but it isn't really my first choice..

I don't know if you remember where I'm trying to go with this.

I was looking for a way to give members their password after an approval process that could take a while, and thought that if they chose their user name (which I can easily remind them of) and a universal password, and if they were forced to change their password the first time they logged in, that would offer an acceptable solution.

This was the reason I wanted (and still would prefer) doing the checking on the login page. It's the only page that everyone must come through for protected pages, no matter where they enter the site.

Thanks again for following up on this.

Jerry Kornbluth

Ah I see. Okay, if you need to have it go through the login page, then there are a few other options.

Off the top of my head, I think it's likely that the $CURRENT_USER is not set at the time when you're doing the check - OR that the form is processing ahead of time and redirecting to the landing page specified in the WSM plugin file before it hits the check. I'd recommend doing adding showme($CURRENT_USER); die; just before the check to see if the page is processing that far and whether the $CURRENT_USER is set as expected at that point.

Does that make sense?

Good thought, Claire,

It probably does have something to do with the WSM plugin.

I'll post what I find, but probably not until tomorrow.

Hopefully it will be useful to others struggling with the new password encryption security while giving management more control over a member approval process.

Jerry Kornbluth

Hi Claire,

I think I’m almost there.

After a lot of playing around, I added the following to the error checking section of the WSM plugin V 1.10 (around line 121) and it seems to work as expected:

if (@$_REQUEST['action'] == 'login')   {if (@$CURRENT_USER && (@$CURRENT_USER['first_time_login'] == '0'||@$CURRENT_USER['first_time_login'] == "")){redirectBrowserToURL("cp.php"); exit;} // if first time login redirect to change password page
else; }

As Always, I'm curious if I've created any security issues that you can see.

Thanks,

Jerry Kornbluth