close ad
Databridge V2 with MySQLi support IS Now Available!
open ad
View Menu

Technical Support Forums

Free, outstanding support from WebAssist and your colleagues

rating

Redirecting users to reset their password if current one doesn't meet strength requirements

Thread began 4/04/2022 7:08 am by MWilson | Last modified 5/26/2022 1:25 pm by Ray Borduin | 124 views | 11 replies |

MWilson

Redirecting users to reset their password if current one doesn't meet strength requirements

Hi Ray, I want to force existing website users to reset their passwords if they don't meet the current updated strength criteria. I've duplicated the current login page to test this and have added a message to it which displays if the user inputs a password that doesn't meet the REGEXP criteria. It works fine, however it also displays that message if they input an incorrect password - it should only display if the password is correct AND too short. I can't see where I'm going wrong - can you help? Page is attached.

Sign in to reply to this post

Ray BorduinWebAssist

If the password fails the regex, then it doesn't check to see if the username and password is valid. You would probably need to add a recordset to the page and filter it with the "failed validations" values so you could check to see if it failed validation but would have found a record for login if it hadn't. If that recordset filtered by the failed validation username and password has a row in it, then you know they would have been logged in if the validation hadn't failed.

Sign in to reply to this post
Did this help? Tips are appreciated...

MWilson

Not sure that will work though as I'm using SHA1 encryption and my understanding is that the system can't decrypt passwords, and since the encrypted value doesn't match the number of characters in the actual password, I can't match that either. Not to worry, I may just use the POST value - the chances are if a user inputs an incorrect password, it would probably be a similar length to the real password and they'd be told to update it anyway, which probably isn't a bad thing.

Sign in to reply to this post

Ray BorduinWebAssist

OK, but it could be done. SHA1 can't be decrypted, but it always encrypts the same, so you can compare the encrypted value in the database to the encrypted version of the submitted value to make sure they are the same in the database. However, your solution of just using the form element is probably better anyway for the reasons you stated.

Sign in to reply to this post
Did this help? Tips are appreciated...

MWilson

Yes, I hadn't thought of that. I can use that method for something else I need to do though, as I also need to put in place a check to make sure that when users update their password, they use a different one so that would be the way to do it!

Sign in to reply to this post

MWilson

Prevent users from re-using previous passwords

Hi Ray, I'm now working on what you suggested above so that I can compare a submitted password with values stored in the database, as I want to stop users from re-using any of the last 10 passwords they've set. I've set up a password history table which records all updated passwords, added a recordset to the page and limited it to 10 rows, then added server validation to check if the submitted password is NOT like any of the passwords in the recordset. It always fails validation though, so not sure if I've got the validation syntax correct. I'm also not sure if it will loop through the recordset? Would you mind taking a look at the page for me to see what I've done wrong?

A further thought - should I be using the Unique Database value validation instead? If I did that though, how would I limit it to only check the passwords for that particular user since there's always the chance that more than one person has used "Password1!" or similar!

Sign in to reply to this post

Ray BorduinWebAssist

Unique value validation isn't complex enough to cover your scenario, so you are doing the right thing by using a custom Recordset. I think you can use something like:

php:
<?php

$rsPWHistory 
= new WA_MySQLi_RS("rsPWHistory",$Composite,10);
$rsPWHistory->setQuery("SELECT * FROM (SELECT * FROM pw_history WHERE pw_history.UserID = ? ORDER BY HistoryID DESC) AS Last10 WHERE Last10.user_pass = ?");
$rsPWHistory->bindParam("d""".$_SESSION['SecurityAssist_ID']  ."""-1"); //ParamID
$rsPWHistory->bindParam("d""".(isset($_POST["User_Update_group_2_Password"])?WA_SHA1Encryption($_POST["User_Update_group_2_Password"]):"")  ."""-1"); //ParamPass
$rsPWHistory->execute();
?>



Then your validation can just be number validation that the value of: $rsPWHistory->TotalRows is < 1

Sign in to reply to this post
Did this help? Tips are appreciated...

MWilson

I updated the recordset and added number validation but it's giving me the following error:

Fatal error: Uncaught ArgumentCountError: Too few arguments to function WAValidateNM(), 3 passed in /var/www/vhosts/xxxxxxxx/httpdocs/my-account-details2.php on line 59 and exactly 7 expected in /var/www/vhosts/xxxxxxx/httpdocs/webassist/form_validations/wavt_scripts_php.php:443 Stack trace: #0 /var/www/vhosts/xxxxxxx/httpdocs/my-account-details2.php(59): WAValidateNM() #1 {main} thrown in /var/www/vhosts/xxxxxxx/httpdocs/webassist/form_validations/wavt_scripts_php.php on line 443

I've obviously done something wrong in the validation code. I've attached the updated page.

Sign in to reply to this post

Ray BorduinWebAssist

It should probably be something like:

$WAFV_Errors .= WAValidateNM(($rsPWHistory->TotalRows) . "",0,0,0,",.",false,11);

Sign in to reply to this post
Did this help? Tips are appreciated...

MWilson

It works!!

Now the only small issue I'm having is that the error message which displays when validation fails for that condition (11) isn't clearing when the password has been successfully updated. Is it maybe because I have two separate forms on the page and I need to add something to clear errors in the second form?

Sign in to reply to this post
loading

Build websites with a little help from your friends

Your friends over here at WebAssist! These Dreamweaver extensions will assist you in building unlimited, custom websites.

Build websites from already-built web applications

These out-of-the-box solutions provide you proven, tested applications that can be up and running now.  Build a store, a gallery, or a web-based email solution.

Want your website pre-built and hosted?

Close Windowclose

Rate your experience or provide feedback on this page

Account or customer service questions?
Please user our contact form.

Need technical support?
Please visit support to ask a question

Content

rating

Layout

rating

Ease of use

rating

security code refresh image

We do not respond to comments submitted from this page directly, but we do read and analyze any feedback and will use it to help make your experience better in the future.

Close Windowclose

We were unable to retrieve the attached file

Close Windowclose

Attach and remove files

add attachmentAdd attachment
Close Windowclose

Enter the URL you would like to link to in your post

Close Windowclose

This is how you use right click RTF editing

Enable right click RTF editing option allows you to add html markup into your tutorial such as images, bulleted lists, files and more...

-- click to close --

Uploading file...