Forgotten Password Function

RentProperty · Post by **RentProperty** » Tue Aug 12, 2014 9:40 am

hi Guys!

I am Struggling a lot to figure out how the forgotten password function work. I want the 'Forget you password' button to always show on my login page. So I've copied the Javascript for that as well as the <a> link from the Logon2 page to my form. So that should work.

However the bigger problem is this... How do you let the system know which user is trying to log in? I.e. in the process that handles the functionality, how do I tell the system to Edit User X if i have no Idea who user X is because there is no 'LoggedInUser' yet.

My best guess whould be something like . Find User where User.LoginName=LoginNotofication.LoginName...

Am I on the right track? When i click the button on my logon page nothing happens.

Any advice or examples will be greatly appreciated.

kind Regards

Hein

Rennur · Post by **Rennur** » Thu Aug 14, 2014 2:13 am

I haven't implemented this feature yet but my thoughts are to email the user the reset password link. There would process to create and email this link.

Lets all collaborate and create the safest way to implement this step by step.

Roughly the process would:
1. Find the user in the system that matches the recovery email entered on the form.
2. Set resetPassword (Yes/No) flag to yes.
3. Create a random password and store it in a plain text attribute.
4. Using ENCRYPT_B64 function, enrypt domain, userName & resetPassword.
5. Create a complete URL to your application that includes #4 and would log the user in.
7. Email this link to the user.
8. When clicked, another process on startup would then check the resetPassword flag is Yes.
9. You would have a non-persisted form with an plain text attribute for the user to enter a new password.
10. The process would then use the value of the new password and update the user password.

I would make sure the reset link expires and cannot be re-used.

hpl123 · Post by **hpl123** » Thu Aug 14, 2014 3:38 am

Great initiative Rennur and the outline you have posted sounds good. 1 comment, instead of the ENCRYPT_B64 link. A link where the user has to log on with their temporary credentials (and then a process is executed for change) can also be used?

http://www.awareim.com/forum/viewtopic.php?t=7135

tford · Post by **tford** » Thu Aug 14, 2014 11:48 am

9. You would have a non-persisted form with an plain text attribute for the user to enter a new password.

Why are you suggested a non-persisted form? You can just use a form of LoggedInSystemUser.

Rennur · Post by **Rennur** » Thu Aug 14, 2014 1:17 pm

Why are you suggested a non-persisted form? You can just use a form of LoggedInSystemUser.

The only reason for that is so that the new password entered by the user is not saved in the database.

Rennur · Post by **Rennur** » Fri Aug 22, 2014 4:44 am

Missed a step (4)

Roughly the process would:
1. Find the user in the system that matches the recovery email entered on the form.
2. In the relevant SystemUser object, set resetPassword (Yes/No) flag to yes.
3. Create a random password and store it in a plain text attribute.
4. Replace the User's currently stored password with the random password.
5. Using ENCRYPT_B64 function, enrypt domain, userName & randomPassword.
6. Create a complete URL to your application that includes #4 and would log the user in.
7. Email this link to the user.
8. When clicked, another process on startup would then check the resetPassword flag is Yes.
9. Display a form with an plain text attribute in which the user will enter a new password.
10. The process would then use the value of the new password and update the user password.

customaware · Post by **customaware** » Fri Aug 22, 2014 1:33 pm

Rennur wrote:Missed a step (4)

3. Create a random password and store it in a plain text attribute.
4. Replace the User's currently stored password with the random password.

Anyone know how to create a random alphanumeric password rather than just a numeric?

Would like something like: M5RS83BWQ

rther than some text just concatenated to a Random generated number.

tford · Post by **tford** » Fri Aug 22, 2014 6:36 pm

Anyone know how to create a random alphanumeric password rather than just a numeric?

Would like something like: M5RS83BWQ

rther than some text just concatenated to a Random generated number.

Not exactly random, but you could use certain letters from the user name.
(IE:letters 1, 4 and 6)

Rennur · Post by **Rennur** » Wed Aug 27, 2014 7:08 am

1. Find the user in the system that matches the recovery email entered on the form.
2. In the relevant SystemUser object, set resetPassword (Yes/No) flag to yes.
3. Create a random password and store it in a plain text attribute.
4. Replace the User's currently stored password with the random password.
5. Using ENCRYPT_B64 function, enrypt domain, userName & randomPassword.
6. Create a complete URL to your application that includes #5 and would log the user in.
7. Email this link to the user.
8. When clicked, another process on startup would then check the resetPassword flag is Yes.
9. Display a form with an plain text attribute in which the user will enter a new password.
10. The process would then use the value of the new password and update the user password.

Skip step 4. Do not reset the user's password with a random password. If you do, anyone that knows the user's email can submit it via the lost password logon and it will be reset straight away.

Step 6 will not work without step 4.

Aware IM User Forums

Forgotten Password Function

Forgotten Password Function

FP