Gossamer Forum
Home : Products : DBMan : Customization :

Change password at login

Quote Reply
Change password at login
I have a database that we are implementing for an alumni group. There are a limited number of users (400). We assign each member a username and password, initially.

I'd like to make it easy for the users to change their password themselves. Ideally, this could happen at the login screen. You know, new passord: and confirm new password: with some sort of confirmation. So they'd have to know the old password to put in a new one, and they'd get a screen that would inform them the password had been changed. No e-mailing is necessary.

Anybody know how to do that?

Quote Reply
Re: Change password at login In reply to
It should be just a matter of altering the change password mod.

You'll need to add two input fields to sub html_login_form and sub html_login_failure. Call the new fields

new_password and new_password2

In auth.pl, sub check_password, change the lines from

Code:

elsif ($in{'login'}) { # The user is trying to login.
open (PASSWD, "<$auth_pw_file") || &cgierr("unable to open password file. Reason: $!\n");
through

Code:

return ('ok', $db_uid, $view, $add, $del, $mod, $admin);
}
}
return ("invalid username/password");
}
to

Code:

elsif ($in{'login'}) { # The user is trying to login.
$pass_found = 0;
open (PASSWD, "<$auth_pw_file") || &cgierr("unable to open password file. Reason: $!\n");
@passwds = <PASSWD>; # Let's get the user id and passwords..
close PASSWD;
my ($view, $add, $mod, $del, $admin, $dview, $dadd, $dmod, $ddel, $dadmin);
PASS: foreach $pass (@passwds) { # Go through each pass and see if we match..
next PASS if ($pass =~ /^$/); # Skip blank lines.
if ($pass =~ /^#/) {
$output .= $pass;
next PASS;
}
chomp ($pass);
($userid, $pw, $view, $add, $del, $mod, $admin) = split (/:/, $pass);
if (($in{'userid'} eq $userid) && (crypt($in{'pw'}, $pw) eq $pw)) {
$pass_found = 1;
srand( time() ^ ($$ + ($$ << 15)) ); # Seed Random Number
$dview = int($view); $dadd = int($add); # We int everything just in case
$ddel = int($del); $dmod = int($mod); # someone has put spaces after the permssions.
$dadmin = int($admin);
if ($in{'new_password'}) {
unless ($in{'new_password'} eq $in{'new_password2'}) {
return ("You must enter the same new password twice.");
}
unless ((length($in{'new_password'}) >= 3) and (length($in{'new_password'}) <= 12)) {
return ("Invalid new password: '$in{'new_password'}'.
Must be less than 12 and greater than 3 characters.");
}
my @salt_chars = ('A' .. 'Z', 0 .. 9, 'a' .. 'z', '.', '/');
my $salt = join '', @salt_chars[rand 64, rand 64];
my $encrypted = crypt($in{'new_password'}, $salt);
$output .= "$in{'userid'}:$encrypted:$dview:$dadd:$ddel:$dmod:$dadmin\n";
}
else { $output .= $pass . "\n"; }
$db_uid = "$userid." . time() . (int(rand(100000)) + 1);# Build User Id
open(AUTH, ">$auth_dir/$db_uid") or
&cgierr("unable to open auth file: $auth_dir/$uid. Reason: $!\n");
print AUTH "$uid: $ENV{'REMOTE_HOST'}\n";
close AUTH;
}
else { $output .= $pass . "\n"; }
}
if ($pass_found) {
if ($in{'new_password'}) {
open (PASS, ">$auth_pw_file") or &cgierr ("unable to open: $auth_pw_file.\nReason: $!");
if ($db_use_flock) {
flock(PASS, 2) or &cgierr("unable to get exclusive lock on $auth_pw_file.\nReason: $!");
}
print PASS $output;
close PASS;
}
&auth_logging('logged on', $userid) if ($auth_logging);
return ('ok', $db_uid, $dview, $dadd, $ddel, $dmod, $dadmin);
}
else {
return ("invalid username/password");
}
}
There are several downsides to this. First, it will require that the script go through all of the lines in the .pass file, instead of stopping when it finds the correct one. This could slow down the login for some of your users. Second, there is no confirmation that the new password actually was added. I think it is important to tell people that they have succeeded in what they wanted to do. But if you don't care, that's fine.

I haven't tested the above, except for syntax errors, but I think it will do what you want.

JPD
http://www.jpdeni.com/dbman/
Quote Reply
Re: [mlustig] Change password at login In reply to
What I dont understand is why, is it hard to do first, match or find if there is such a user...Tongue then when looking for a password only check first for a user... after you find a user check the current password, then change it.

I would like a simple mod like this to work with the normal dbman passfile, without having it be totally changed.

Tongue You could really hmm use it for any type of format of passfile, it would be just a matter of which feild you are searching first and were it is located, you could make example which things should go first if say you got this layout for your passfile and so on...

I would write a simple mod like this if i knew php/cgi stuff but im a n00b and only know java so far heh, i think a simple mod should have been done first before any other complex method Wink

one reason maybe hmm someone isnt using the sendemail, or doesnt have support like free hosting (for spam reasons) I think a simple change pass mod is a must.
Quote Reply
Re: [drutort] Change password at login In reply to
Quote:
I think a simple change pass mod is a must.


There is a change password mod in the Resource area of this site. (Resource are found under Support)

~ Karen
Quote Reply
Re: [Karen] Change password at login In reply to
yes I looked I do not want the one with the emailing and such... as I have stated free web hosts donít always support "sendemail" so I just would like to change the password for a user as long as they are say already logged in and give them a right to do so... I believe this can be done the same way the admin section but only take the method that calls for update user which is the change password and make your own method just like that but accessible to users who are login and they donít have to have admin permissions.



Is that so hard to do? to me i think that is a lot easier then all the other mod's and could have been or should have been placed into dbman anyway... I mean at least you should expect to let the user change there password, if say you do not let a user signin/create there own account... which im sure there are people who do that...Tongue