Deactivate user's password periodically

5 posts by 3 authors in: Forums > CMS Builder
Last Post: October 24, 2018   (RSS)

By Dave - October 10, 2018

Hi Andreas, 

There are some different views on the security pros and cons of forcing a user to change their password.  One negative is that some users may choose simpler passwords or cycle through a list. 

You can read some more on that here: https://security.stackexchange.com/questions/7168/is-forcing-users-to-change-passwords-useful
and here: https://www.washingtonpost.com/news/the-switch/wp/2016/03/02/the-case-against-the-most-annoying-security-measure-virtually-every-workplace-uses/

But you could simply blank out or change a users password in the CMS and when they login next they would get an error and be able to reset it.  Normal user behaviour, if a password isn't working, would be to reset it.  And/or you could have a plugin to blank out passwords if after a certain period of time or if the user hadn't logged in after x months.  Or perhaps add something to track when they last changed their password.

So the easy solution is just to blank out their password so they have to reset it.  And more options would be available if you wrote a plugin.  And if you wanted to change the text displayed "invalid password" you could do that in the language file (/cmsb/lib/languages/) to have it display some additional help text.

Hope that helps!  Let me know any questions.

Dave Edis - Senior Developer
interactivetools.com

By andreasml - October 11, 2018

Hi Dave

Thank you for your quick answer.

Question: can I create plugin myself? How easy is it?

Kind regards

Andreas

By Dave - October 15, 2018

Hi Andreas, 

If you're familiar with creating plugins or PHP programming then yes you could.  The tricky bit would be figuring out exactly what you want it to do first. 

Dave Edis - Senior Developer
interactivetools.com

By gkornbluth - October 24, 2018

Hi Andreas,

Here's an approach that you may find useful. I'm using the membership plugin, and I use the scheme below to force a user to change their password the first time they log in.

You should easily be able to change the if (@$_REQUEST['action'] == 'login') to compare the updatedDate field value in the user record with the current date and if a certain period of time has elapsed, force a password change.

See the 'WORKING WITH DATES' recipes in my CMSB Cookbook http://www.thecmsbcookbook.com for more on that. (it would be more elegant if there was a date field that indicated the last password update if updatedDate field will not coincide with the last user record password update.)

Good luck,

Jerry Kornbluth

First, I added a first_time_login checkbox to the user account record. Then added the following to the standard if (@$_REQUEST['action'] == 'login') code in the plugin:

if (@$_REQUEST['action'] == 'login') {if (@$CURRENT_USER && (@$CURRENT_USER['first_time_login'] == '0'||@$CURRENT_USER['first_time_login'] == "")){ redirectBrowserToURL("cp.php");exit;} // if first time login redirect to change password page
else; }


//

return $CURRENT_USER;

}​

Here's the code for cp.php, which is based on the change password section of the login form

<?php include ("_website_init.php"); ?>
<?php $GLOBALS['SEP_DISABLED'] = 1; ?>
<?php $GLOBALS['WEBSITE_MEMBERSHIP_PROFILE_PAGE'] = true; // prevent redirect loops for users missing fields listed in $GLOBALS['WEBSITE_LOGIN_REQUIRED_FIELDS'] ?>
<?php # Developer Notes: To add "Agree to Terms of Service" checkbox (or similar checkbox field), just add it to the accounts menu in the CMS and uncomment agree_tos lines
  
  //
  $useUsernames   = true; // Set this to false to disallow usernames, email will be used as username instead

  // error checking
  $errorsAndAlerts = "";
  if (@$_REQUEST['missing_fields']) { $errorsAndAlerts = "Please fill out all of the following fields to continue.<br/>\n"; }
 // if (!$CURRENT_USER) { websiteLogin_redirectToLogin(); }


  ### Update User Profile
  if (@$_POST['save']) {
    // update user
    if (!$errorsAndAlerts) {
     $colsToValues = array();
      // ... add more form fields here by copying the above line!
	  $colsToValues['first_time_login'] =     '1';
      $colsToValues['updatedByUserNum'] = $CURRENT_USER['num'];
      $colsToValues['updatedDate=']     = 'NOW()';
      mysql_update(accountsTable(), $CURRENT_USER['num'], null, $colsToValues);

      // on success
      websiteLogin_setLoginTo( $colsToValues['username'], $CURRENT_USER['password'] );  // update login session username in case use has changed it.
      $errorsAndAlerts = "Thanks, we've updated your password.<br/>\n";
    }
  }


  ### Change Password
  if (@$_POST['changePassword']) {
  //update fields
    $colsToValues = array();
	  $colsToValues['first_time_login'] =     '1';
      $colsToValues['updatedByUserNum'] = $CURRENT_USER['num'];
      $colsToValues['updatedDate=']     = 'NOW()';
      mysql_update(accountsTable(), $CURRENT_USER['num'], null, $colsToValues);
  // change passwords
    $encryptPasswords = @$SETTINGS['advanced']['encryptPasswords'];

    // error checking
    $_REQUEST['oldPassword'] = preg_replace("/^\s+|\s+$/s", '', @$_REQUEST['oldPassword']); // v1.10 remove leading and trailing whitespace
    $oldPasswordHash  = $encryptPasswords ? getPasswordDigest(@$_REQUEST['oldPassword']) : @$_REQUEST['oldPassword'];
    if     (!@$_REQUEST['oldPassword'])                             { $errorsAndAlerts .= "Please enter your current password<br/>\n"; }
    elseif ($oldPasswordHash != $CURRENT_USER['password'])          { $errorsAndAlerts .= "Current password isn't correct!<br/>\n"; }
    $newPasswordErrors = getNewPasswordErrors(@$_REQUEST['newPassword1'], @$_REQUEST['newPassword2'], $CURRENT_USER['username']); // v2.52
    $errorsAndAlerts  .= nl2br(htmlencode($newPasswordErrors));

    // change password
    if (!$errorsAndAlerts) {
      $passwordHash = $encryptPasswords ? getPasswordDigest($_REQUEST['newPassword2']) : $_REQUEST['newPassword2'];
      mysql_update( accountsTable(), $CURRENT_USER['num'], null, array('password' => $passwordHash)); // update password
      websiteLogin_setLoginTo( $CURRENT_USER['username'], $_REQUEST['newPassword2'] );                // update current login session
      unset($_REQUEST['oldPassword'], $_REQUEST['newPassword1'], $_REQUEST['newPassword2']);          // clear form password fields
      $errorsAndAlerts = "Thanks, we've updated your password!<br/>\n";
	  redirectBrowserToURL("provider_profile.php");
    }
  } ### END: Change Password


  // prepopulate form with current user values
  //foreach ($CURRENT_USER as $name => $value) {
  //  if (array_key_exists($name, $_REQUEST)) { continue; }
  //  $_REQUEST[$name] = $value;
 // }

?>
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
<title>CHANGE PASSWORD&nbsp;-&nbsp;DBT PROVIDER DIRECTORY</title>
<META NAME="ROBOTS" CONTENT="NOINDEX, NOFOLLOW">
<meta name="viewport" content="width=device-width, initial-scale=1">
<link rel="shortcut icon" type="image/ico" href="/favicon.ico" />
<link href="css/dbt.css.php" rel="stylesheet" type="text/css" />
<link rel="stylesheet" type="text/css" href="css/fonts.css.php" />
<?php include ("_preload.php"); ?>
<link rel="stylesheet" type="text/css" href="http://fonts.googleapis.com/css?family=<?php 
    $output = ''; 
    foreach ($google_font_namesRecords as $record) { $record['name'] = preg_replace("/[, ]/", "+", $record['name']);
      $output .= $record['name'] . "|"; 
    } 
    $output = rtrim($output,"|"); // remove trailing pipe 
    print $output; 
?>">
</head>

<body >
<p>&nbsp;</p>
<table class="shadow3" bgcolor="#<?php echo $dbt_colorsRecord['main_box_background_color'] ?>" width="55%" border="0" align="center" cellpadding="0">
  <tr>
    <td  colspan="2" bgcolor="#<?php echo $dbt_colorsRecord['masthead_background_color'] ?>"><div class="under round-corner" align="left"> <?php foreach ($common_informationRecord['masthead'] as $index => $upload): ?>
        <a href="index.php"><img src="<?php echo $upload['thumbUrlPath3'] ?>"   alt="DBT Masthead" /></a>
        <?php endforeach ?>
      </div></td>
  </tr>
  <tr>
    <td class="shadow3"  width="20%" rowspan="4" align="right" valign="top" bgcolor="#<?php echo $dbt_colorsRecord['menu_background_color'] ?>" ><?php include ("_mainnavmenu.php"); ?></td>
    <td width="82%"><br />
      <br /></td>
  </tr>
  <tr>
    <td align="center" ><?php if (@$errorsAndAlerts): ?>
      <div class="text_font" align="left" style="color: #{{{PHP15}}}; font-weight: bold;"><br/>
        <?php echo $errorsAndAlerts; ?><br/>
      </div>
      <?php endif ?>
      <div style="width:90%" align="left">
        <div class="heading_font" align="center">PLEASE CHANGE YOUR PASSWORD</div>
        <br />
        <br />
        <span class="text_font"><b>Welcome <?php echo $CURRENT_USER['contact_first_name'] ?>, <br />
        <br />
        Since this is the first time you've logged in, we ask that you<br />
        change your password to protect your privacy.<br />
        <br />
        NOTE: Once you've changed your password, you'll no longer be logged in,<br />
        and you'll have to </b> </span><a class="special-link" href="member_login.php">LOGIN AGAIN</a> <span class="text_font"><b>with your new credentials.</b><br />
        <br />
        
        <!-- CHANGE PASSWORD FORM -->
        <div > <b>Change your Login Password - (Don't forget to write down the new one!)</b><br/>
          <form method="post" action="?">
            <input type="hidden" name="changePassword" value="1" />
            <p>
            <table border="0" cellspacing="0" cellpadding="1">
              <tr>
                <td>Enter Your Current Password</td>
                <td><input type="password" name="oldPassword" value="<?php echo htmlencode(@$_REQUEST['oldPassword']); ?>" size="40" /></td>
              </tr>
              <tr>
                <td> Enter Your New Password</td>
                <td><input type="password" name="newPassword1" value="<?php echo htmlencode(@$_REQUEST['newPassword1']); ?>" size="40" /></td>
              </tr>
              <tr>
                <td> Enter Your New Password (again)</td>
                <td><input type="password" name="newPassword2" value="<?php echo htmlencode(@$_REQUEST['newPassword2']); ?>" size="40" /></td>
              </tr>
              <tr>
                <td >&nbsp;</td>
                <td align="center"><br />
                  <input class="button" type="submit" name="submit" value="Change Password &gt;&gt;" /></td>
              </tr>
            </table>
          </form>
        </div>
        <br/>
        <!-- /CHANGE PASSWORD -->
        <?php if (@$errorsAndAlerts): ?>
        <div class="text_font" align="left" style="color: #{{{PHP23}}}; font-weight: bold;"><br/>
          <?php echo $errorsAndAlerts; ?><br/>
          <br/>
        </div>
        <?php endif ?>
        </span></div></td>
  </tr>
  <tr>
    <td><p>&nbsp;</p>
      <br />
      <br />
      <?php include ("_footer2.php"); ?></td>
  </tr>
</table>
</body>
</html>
The first CMS Builder reference book is now available on-line!







Take advantage of a free 3 month trial subscription, only for CMSB users, at: http://www.thecmsbcookbook.com/trial.php