Forgot password page emails encrypted password.

Hi - I'm sure I've done something simple to mess this up.

I've created a forgot password page using the solution recipe. The new password session value is being used by the update record correctly and it looks like the password is being stored in the DB. Also the password is encrypted.

The forgot password page sends the email but the password in the email is encrypted as well. It should show the random password generated.

Should the email password value somehow be set to the session value and not the database one?

Thanks

You are exactly rite on this, the emailed password should be the non encrypted password held in the session variable where you set the random password. If you have any trouble updating this post back with the forgot password page in question.

I am having a similar problem. The returned password is encrypted. I haven't used the random password data binding though, preferring to allow the user to enter their own password rather than a randomly generated one. Is this required for encrypted passwords?

You can have the user enter their own password so long as you can identify the user and confirm that they are updating their password.

When do you encrypt the password and what is the value in the email that you have for the password? If the user is entering the password then the unencrypted version should be in the posted password element. You can reference this value directly in the email or save it to a session variable first then reference it in the email.

You still want to ensure that you store the password in the db encrypted though. Post back with the pages in question if you have any further trouble with this.

Am I to understand that the forgot password procedure actually creates a new one in the DB and emails that to the user?

Ok I probably need help with the workflow here. This is what needs to happen.

1. The initial user is created by an administrator, not the user himself. A random password is generated, but the administrator has the ability to change the password at the time the user record is generated. This part is done already.

2. User email address is a required field when adding the user record so I would now like an email to be automaticaly sent to the added user with their username and password.

3. The ability for the user to change his password to something he can remember a little easier if he wants to.

4. The ability for the user to have his existing password emailed to him.

You are correct in your understanding of the new password, it is generated the stored in the db. The user gets the original unencrypted value sent to them in the email.

So when you are adding the user you can have the password that was entered stored in a session variable, then when the user is inserted you would send out the email to the user with their details. For the password you would use the unencrypted version held in the session variable.

In order for the user to change their password they would either need to be logged in already, or go to a forgot password page that will generate a new random password and email it to the user.

If you store the passwords in an encrypted format you will not have the ability to email the password to the user, you would need a forgot password page that resets the user's password to a random value and emails them with that.

Thanks for the explanation Eric, I have a better idea of how it should work now.

Your welcome, let us know if you have any other questions.