Password reset problem

Adrian Ursu

Posted on 16/03/2015 16:20:04

Hi guys,

We have a problem with the password reset on our solution. After the user changes the password, the confirmation mail is not sent. Are there any additional settings required?
Also, how can we get the actual password, as the tag DWOldPassword mentioned in the documentation (http://templates.dynamicweb.com/TemplateTags/Dynamicweb-template-tags/Module-tags/Extranet/Intranet/Login/DWOldPassword.aspx) doesn't return nything.

Thanks

This is our form

<form name="UserManagementEditForm" action='@GetValue("UserManagement:User.EditUrl")' method="post" enctype="multipart/form-data">
<input type="hidden" name="UserManagementForm" value="1">
<input type="hidden" id="UserManagementForm.DeleteImage" name="UserManagementForm.DeleteImage">
           <input type="hidden" id="oldPassword" value='@GetValue( "DWOldPassword") />

<div class="user_edit_fields">
<div class="row">
<div class="col-xs-2">@Translate("changePassword", "Parola actuala")</div>
<div class="col-xs-10"><input name="UserManagement_Form_OldPassword" type="password" id="UserManagement_Form_OldPassword" autocomplete="off" /></div>
</div>
<div class="row">
<div class="col-xs-2">@Translate("newPassword", "Parola noua")</div>
<div class="col-xs-10"><input name="UserManagement_Form_NewPassword" type="password" id="UserManagement_Form_NewPassword" autocomplete="off" /></div>
</div>

<div class="row">
<div class="col-xs-2">@Translate("confirmPassword", "Confirmati parola")</div>
<div class="col-xs-10"><input name="UserManagement_Form_NewPasswordConfirm" type="password" id="UserManagement_Form_NewPasswordConfirm" autocomplete="off" /></div>
</div>

<div class="row">
<div class="col-xs-2"> </div>
<div class="col-xs-10">
<input type="submit" id="submitter" value='@Translate("changeInfo", "Modificati datele")' class="button-green" />
</div>
</div>
</div>
</form>

Replies

Nicolai Høeg Pedersen

Posted on 16/03/2015 16:43:08

Hi Adrian

Check the mail log in \Files\Files\MailLog\.NET and see if it tells you anything. And make sure all fields for the mail confirmation has a value, i.e. the sender.

DWOldPassword will not return anything if passwords are encrypted.

Nicolai

Adrian Ursu

Posted on 17/03/2015 16:52:22

Hey Nicolai,

The password is not encrypted so apparently DWOldPassword doesn't return anything at all. Also, can you please elaborate on fields for the mail confirmation? Where can I see a working example of a password reset form which also sends a confirmation email so I can have an idea about the fields which need be included? I can see an example for password forgot, which has the field you're talking about, but nothing regarding the password reset.

Thanks!

Nicolai Høeg Pedersen

Posted on 18/03/2015 09:26:31

Hi Adrian

Sorry, DWOldPassword is only available in situations where the password expires due to password security rules.

Your forgot password template - this will send out the password on record:

<!--@If(Server:Request.ispostback=='true')-->
We have now sent the username and password to the submitted e-mail address.
<!--@EndIf-->

<form class="form-vertical" name="ExtUserForm" method="post" action="">
 <input type="hidden" name="ispostback" value="true">
 <input type="hidden" name="ForgotPassword" value="True">
 <input type="hidden" name="ForgotPasswordMailTemplate" value="forgot-password-mail-template.html">
 <input type="hidden" name="_ForgotPasswordConfirm" value="We are sending an email with your password and username">
 <input type="hidden" name="_ForgotPasswordEmailNotFound" value="The email address is not in out system. Contact us at info@dynamicweb.com to create a user.">
 Please fill in your user name: <input id="Username" name="Username" type="text">
 <input type="submit" />
</form>

And then have the template specified above with these information

Dear <!--@DWExtranetNamename-->
This is your username: <!--@DWExtranetUsername--><br />
And password: <!--@DWExtranetPassword-->

In 8.6, you can use the user management module to login, reset passwords etc. See manual and attached templates (which also works in a layout template)

BR Nicolai

Emerie Franks

Posted on 08/12/2016 15:54:53

Email confirmations sent to the user on password reset and account setup has been requested by our newly launched client, Forney Industries. I believe sending emails on both of these conditions is a best practice, particularly in the interest of preventing malicious activity. Even though in most cases the user has initiated these actions and an email is an additional confirmation, it can alert users to any potential malicious attempts and give them an opportunity to stop that as quickly as possible AND releases DW from any potential liability.

Thank you for your consideration of adding this feature.

Emerie

Nicolai Pedersen

Posted on 08/12/2016 16:13:22

Hi Emerie

I believe you can do that already...

When users signup, you have different ways of validating how the user will be created and sending them emails. See dump#1

When users recover or resets their password from the login screen (using the module for it), you can also setup notifications and different ways of resetting the password. See dump#2

Or am I misunderstanding something?

Thanks, Nicolai

Imar Spaanjaars

Posted on 14/12/2016 23:21:39

Hi Nicolai,

Talked to Emerie and Adrian about this, and I think is about a notificaton after just changing a password in two locations:

1. After changing a password in the UI, show a message like "Your password has been changed successfully". According to Adrian there's no (simple?) way to do that currently. Any pointers?

2. After changing a user's password, send an email. From a security point of view, I think this is pretty common. Just notifify the user their password has changed with a message saying that if they changed it they don't have to do anything but if they didn't they would have to reach out to the customer immediately. I don't think there's a UI notification nor a code notification to handle that, right?

Hope this explains the situation.

Imar

Nicolai Pedersen

Posted on 15/12/2016 10:24:19

Hi Imar

@1: What is the entry point? - where does the user start the change password process?

@2: No matter what password recovery model you use, I believe there is mail involved...

When you create a profile (as requested in the first thread) you can send mails to both administrator and user.

Adrian Ursu

Posted on 15/12/2016 11:09:20

Hi Nicolai,

Let me answer to that.

1. Entry point can be USer account, where the user can change his password, or the Passwrod revcovery process in cases where we choose to let the user set the new password instead of generating one

2. This is not about password recovery. This is about Password Edit and mainly Password Edit from My account.

I hope this makes sense.Thanks,
Adrian

Nicolai Pedersen

Posted on 15/12/2016 11:32:50

@1: You would never let the user set thew new password if they do not know the old one - that would be a giant security risk. All the reset password methods in DW send an email unless there is something I do not know.

@2: Ok, so usermanagement frontend, edit profile section? When a user edit their settings, send an email, maybe only if the password was changed?

Adrian Ursu

Posted on 15/12/2016 11:41:53

@1: Agree

@2: Yes. When a user edits his settings (especially Password) send a notification email. At this point, we have been asked just to send a notification and not to send a notification to confirm the change.

Thank you,

Adrian

You must be logged in to post in the forum

Developer forum

Password reset problem

Replies