473,732 Members | 2,171 Online
Bytes | Software Development & Data Engineering Community
+ Post

Home Posts Topics Members FAQ

Changing Expired Oracle Passwords w/ ASP

Hi,

We have a web application where we want a user to be able to change his/her
password if the password has expired but we are unable to do this with ASP
(at the moment) because we can't log the user into the database without a
valid password. We do not want to store any "admin" user info to connect to
the database to change the users password for security issues. Does anyone
have any ideas of how we could go about doing this? Any help would be
greatly appreciated!

Thanks,

Neil
Jul 19 '05 #1
4 3850
"ecPunk" wrote:
: We have a web application where we want a user to be able to change
his/her
: password if the password has expired but we are unable to do this with ASP
: (at the moment) because we can't log the user into the database without a
: valid password. We do not want to store any "admin" user info to connect
to
: the database to change the users password for security issues. Does
anyone
: have any ideas of how we could go about doing this? Any help would be
: greatly appreciated!

If you keep expired passwords, you could compare, as the OS does, to request
old password, new password, confirm new password. IMHO, it should be an SSL
connection, eliminate possibilities for SQL injection by using a stored
procedure, and check for referral to make sure only the requests exists from
your site. However, if it still requires a valid password, then you'll need
to offer a way for them to request a temporary password to modify their old
one, perhaps by relating their email address with it. If their password
expires, you could automatically send or better to wait until they request,
a link in email which provides them temporary access by issuing a time link,
which will pass a temporary password without their knowledge. It could take
them to a page that requires that they now do the first suggestion of
providing old, new, confirm passwords to change. I would also generate
another email letting them know their password has been changed and to
contact someone if it was not generated by them.

Just because they go to your site doesn't mean they have to get into the
database, or it shouldn't. Asking for a password change could generate a
lookup into the database but only to verify the email address given as one
that already exists so a link could be generated that allows them temporary
access. If you want it time critical then you would store the time it was
requested after approval so they had to follow up and change their password
within that time frame or it would be expired. Whatever you have for your
maintenance could remove expired password change requests. Successful
password change requests would cleanup after themselves.

I have a similar routine I wrote for a contact form to eliminate spam. The
message is stored and an email is generated to the OP. The OP must click on
a link, with a certain time frame, or the message is deleted from the
database instead of being forward via email. The difference here is I'm
generating a random number with a random seed and storing that into the
database, generating the email and waiting for a confirmation which provides
a link that passes this information back. It them puts them into the
database to test against future correspondence from valid users. If they're
in the database and approved, I get the email. If not, they get sent an
email with a link to be approved.

HTH...

--
Roland Hall
/* This information is distributed in the hope that it will be useful, but
without any warranty; without even the implied warranty of merchantability
or fitness for a particular purpose. */
Technet Script Center - http://www.microsoft.com/technet/scriptcenter/
WSH 5.6 Documentation - http://msdn.microsoft.com/downloads/list/webdev.asp
MSDN Library - http://msdn.microsoft.com/library/default.asp
Jul 19 '05 #2

"Roland Hall" <nobody@nowhere > wrote in message
news:ON******** ******@TK2MSFTN GP12.phx.gbl...
"ecPunk" wrote:
: We have a web application where we want a user to be able to change
his/her
: password if the password has expired but we are unable to do this with ASP : (at the moment) because we can't log the user into the database without a : valid password. We do not want to store any "admin" user info to connect to
: the database to change the users password for security issues. Does
anyone
: have any ideas of how we could go about doing this? Any help would be
: greatly appreciated!

If you keep expired passwords, you could compare, as the OS does, to request old password, new password, confirm new password. IMHO, it should be an SSL connection, eliminate possibilities for SQL injection by using a stored
procedure, and check for referral to make sure only the requests exists from your site. However, if it still requires a valid password, then you'll need to offer a way for them to request a temporary password to modify their old one, perhaps by relating their email address with it. If their password
expires, you could automatically send or better to wait until they request, a link in email which provides them temporary access by issuing a time link, which will pass a temporary password without their knowledge. It could take them to a page that requires that they now do the first suggestion of
providing old, new, confirm passwords to change. I would also generate
another email letting them know their password has been changed and to
contact someone if it was not generated by them.

Just because they go to your site doesn't mean they have to get into the
database, or it shouldn't. Asking for a password change could generate a
lookup into the database but only to verify the email address given as one
that already exists so a link could be generated that allows them temporary access. If you want it time critical then you would store the time it was
requested after approval so they had to follow up and change their password within that time frame or it would be expired. Whatever you have for your
maintenance could remove expired password change requests. Successful
password change requests would cleanup after themselves.

I have a similar routine I wrote for a contact form to eliminate spam. The message is stored and an email is generated to the OP. The OP must click on a link, with a certain time frame, or the message is deleted from the
database instead of being forward via email. The difference here is I'm
generating a random number with a random seed and storing that into the
database, generating the email and waiting for a confirmation which provides a link that passes this information back. It them puts them into the
database to test against future correspondence from valid users. If they're in the database and approved, I get the email. If not, they get sent an
email with a link to be approved.

HTH...

After reading my post a bit more clearly, it would seem that I wrote it a
bit too quickly and
wasn't too clear on exactly what i meant. We are using actual Oracle users
to log into the
database rather than using a users table, etc. And it's here where the
problem lies, we can
not get into the database to store the user's password when it expires
because it is not a valid
login if the user's account is expired.

I appreciate your suggestions though Roland, thank you!

Neil
Jul 19 '05 #3
"ecPunk" wrote:
: After reading my post a bit more clearly, it would seem that I wrote it a
: bit too quickly and
: wasn't too clear on exactly what i meant. We are using actual Oracle
users
: to log into the
: database rather than using a users table, etc. And it's here where the
: problem lies, we can
: not get into the database to store the user's password when it expires
: because it is not a valid
: login if the user's account is expired.
:
: I appreciate your suggestions though Roland, thank you!

Hey Neil...

Thanks for responding.

If you use an unknown account that has privs, you can provide a link,
request the information and with server-side code allow that account to make
the changes for them. They input the old password and new password with a
confirm. It looks in the database and retrieves the old password, and it
compares. If successful and the new password and confirm fields match each
other, then it changes the password for the user and notifies them of its
success. Now that I think about it, I'd ask for the username also, and
compare one exists. It sounds like a simple process to me.

Are you telling me you cannot retrieve a list of users from the database?

--
Roland Hall
/* This information is distributed in the hope that it will be useful, but
without any warranty; without even the implied warranty of merchantability
or fitness for a particular purpose. */
Technet Script Center - http://www.microsoft.com/technet/scriptcenter/
WSH 5.6 Documentation - http://msdn.microsoft.com/downloads/list/webdev.asp
MSDN Library - http://msdn.microsoft.com/library/default.asp
Jul 19 '05 #4
Keshi
3 New Member
Hi,
Maybe this free tool at www.dbmotive.com might be what you looking for.
Regards,
Keshi
Feb 27 '06 #5

This thread has been closed and replies have been disabled. Please start a new discussion.

Similar topics
0
2767
Protocol Violation when user password is expired
by: Bob Rivers | last post by:
Hi, I have an application that uses jdbc (9.2.0.3/classes12) to connect to an Oracle db (9i). It works fine, except when the user password is going to expire. Let me try to explain (sorry my poor english): my oracle db manages the users passwords, and this passwords are configured to expire every 90 days. So, when the password are going to expire, oracle asks to users if they want to change it.
Oracle Database
1
4288
Changing domain password
by: Mindy Geac | last post by:
Hello, I'm seaching for the possibility to change Domain/User passwords. And a check for users if the password has to change with the first logon or when the password is expired. thanx, Mindy
ASP / Active Server Pages
3
2126
Re-logging into An Oracle Database
by: Marvinq | last post by:
I am working on an Access 2002/Oracle vba automated overnight process. The problem is there is one user with rights to a certian set of tables and another user with a certain set of tables. I can't run the overnight process with just one login. Currently, I am having problems with relogging into the database with a different login. Even when I enter a different userid and password into a connection string, the system seems to still use...
Microsoft Access / VBA
4
5719
Asp.net / iis / oracle problem
by: BookerW | last post by:
I am not sure which forum I should post this on, but here is the problem. I have a front end web application(VB) on asp,net 1.1 framework. Inside of the code, I have the following lines to connect to the database If gbSQLServer Then 'sConnectionString = "Provider=Microsoft.Jet.OLEDB.4.0; Data Source=c:\w\vgyl\hy.mdb" gsConnectionString = "Provider=SQLOLEDB;Data Source=frt4;Initial Catalog=SRMSM;Integrated Security=SSPI" Else
ASP.NET
5
5392
Problem with Information Integrator/Federated Datase - Oracle
by: Michael Rudolph | last post by:
Hi newsgroup, I have an issue with the configuration of a DB2 federated database (WebSphere Information Integrator) in conjunction with the relational wrapper for Oracle on AIX. DB2 seems to not use the existing tnsnames.ora. The Oracle client is installed and the connection to the Oracle database using tnsping and sqlplus is possible (for the db2instance user). For that I changed the environment for the db2instanceuser and added the...
DB2 Database
1
2870
Handling expired passwords in Forms v.6.0.5
by: Pogiso | last post by:
I am having problems trying to prompt forms to bring up the password change screen once a user's password has expired (ORA-28001: The password has expired ). Has anyone out there figured how to suppress this message and call up the password change screen.
Oracle Database
4
4324
Changing the password when it expires.
by: Renilkumar | last post by:
Hi, We have developed a .net2.0 application using asp.net, vb.net and oracle9i. From the appl. we pass the datasource=;userid=;password=; to validate the username and password against the user_users table in oracle. When the password is expired, We are forcing the user to change the password through a screen which uses... ALTER USER <user> IDENTIFIED BY <newpassword> REPLACE <oldpassword> But the moment this statement excecute in the...
.NET Framework
1
5998
Troubleshooting Timeout expired. All pooled connections were in use and max pool size was reached.
by: jobs | last post by:
Re: Troubleshooting Timeout expired. All pooled connections were in use and max pool size was reached. New webservers. win2003. IIS6. asp.net 2.0/ sql server 2005 and Oracle 9i through a 64 bit Oracle client. Everything working fine until this. I started getting these errors as the new website activity started to heat up. Timeout expired. The timeout period elapsed prior to obtaining a
ASP.NET
3
1686
Oracle newbie
by: db_happy | last post by:
Hello I install Oracle8 Enterprise Edition Release 8.0.4 for Windows NT and I choose Typical in Starter Database.As I understand ORACLE create a sample database for me (If that is wrong please inform me).Also the installation create some services.Probably my starter database is OracleServiceORCL and OracleStartORCL which they running.Also running OracleTNSListener80 and OracleWebAssistant. Then i try to connect with Oracle Enterprise...
Oracle Database
0
8946
marktang
What is ONU?
by: marktang | last post by:
ONU (Optical Network Unit) is one of the key components for providing high-speed Internet services. Its primary function is to act as an endpoint device located at the user's premises. However, people are often confused as to whether an ONU can Work As a Router. In this blog post, we’ll explore What is ONU, What Is Router, ONU & Router’s main usage, and What is the difference between ONU and Router. Let’s take a closer look ! Part I. Meaning of...
General
0
8774
Changing the language in Windows 10
by: Hystou | last post by:
Most computers default to English, but sometimes we require a different language, especially when relocating. Forgot to request a specific language before your computer shipped? No problem! You can effortlessly switch the default language on Windows 10 without reinstalling. I'll walk you through it. First, let's disable language synchronization. With a Microsoft account, language settings sync across devices. To prevent any complications,...
Windows Server
1
9235
The easy way to turn off automatic updates for Windows 10/11
by: Hystou | last post by:
Overview: Windows 11 and 10 have less user interface control over operating system update behaviour than previous versions of Windows. In Windows 11 and 10, there is no way to turn off the Windows Update option using the Control Panel or Settings app; it automatically checks for updates and installs any it finds, whether you like it or not. For most users, this new feature is actually very convenient. If you want to control the update process,...
Windows Server
0
9181
tracyyun
Discussion: How does Zigbee compare with other wireless protocols in smart home applications?
by: tracyyun | last post by:
Dear forum friends, With the development of smart home technology, a variety of wireless communication protocols have appeared on the market, such as Zigbee, Z-Wave, Wi-Fi, Bluetooth, etc. Each protocol has its own unique characteristics and advantages, but as a user who is planning to build a smart home system, I am a bit confused by the choice of these technologies. I'm particularly interested in Zigbee because I've heard it does some...
General
0
8186
agi2029
AI Job Threat for Devs
by: agi2029 | last post by:
Let's talk about the concept of autonomous AI software engineers and no-code agents. These AIs are designed to manage the entire lifecycle of a software development project—planning, coding, testing, and deployment—without human intervention. Imagine an AI that can take a project description, break it down, write the code, debug it, and then launch it, all on its own.... Now, this would greatly impact the work of software developers. The idea...
Career Advice
0
4550
Trying to create a lan-to-lan vpn between two differents networks
by: TSSRALBI | last post by:
Hello I'm a network technician in training and I need your help. I am currently learning how to create and manage the different types of VPNs and I have a question about LAN-to-LAN VPNs. The last exercise I practiced was to create a LAN-to-LAN VPN between two Pfsense firewalls, by using IPSEC protocols. I succeeded, with both firewalls in the same network. But I'm wondering if it's possible to do the same thing, with 2 Pfsense firewalls...
Networking - Hardware / Configuration
0
4809
Windows Forms - .Net 8.0
by: adsilva | last post by:
A Windows Forms form does not have the event Unload, like VB6. What one acts like?
Visual Basic .NET
1
3261
transfer the data from one system to another through ip address
by: 6302768590 | last post by:
Hai team i want code for transfer the data from one system to another through IP address by using C# our system has to for every 5mins then we have to update the data what the data is updated we have to send another system
C# / C Sharp
3
2180
bsmnconsultancy
Comprehensive Guide to Website Development in Toronto: Expert Insights from BSMN Consultancy
by: bsmnconsultancy | last post by:
In today's digital era, a well-designed website is crucial for businesses looking to succeed. Whether you're a small business owner or a large corporation in Toronto, having a strong online presence can significantly impact your brand's success. BSMN Consultancy, a leader in Website Development in Toronto offers valuable insights into creating effective websites that not only look great but also perform exceptionally well. In this comprehensive...
General

By using Bytes.com and it's services, you agree to our Privacy Policy and Terms of Use.

To disable or enable advertisements and analytics tracking please visit the manage ads & tracking page.

BYTES.COM © 2024
About Bytes
Terms Of Use
Privacy Policy
Sitemap
Advertise on Bytes
How to Post and Respond on Bytes
How to Promote and Link on Bytes
How to increase your Ranking on Bytes
Become a Recognized Expert on Bytes
Feedback Welcomed! Contact Us