"ecPunk" wrote:
: We have a web application where we want a user to be able to change
his/her
: password if the password has expired but we are unable to do this with ASP
: (at the moment) because we can't log the user into the database without a
: valid password. We do not want to store any "admin" user info to connect
to
: the database to change the users password for security issues. Does
anyone
: have any ideas of how we could go about doing this? Any help would be
: greatly appreciated!
If you keep expired passwords, you could compare, as the OS does, to request
old password, new password, confirm new password. IMHO, it should be an SSL
connection, eliminate possibilities for SQL injection by using a stored
procedure, and check for referral to make sure only the requests exists from
your site. However, if it still requires a valid password, then you'll need
to offer a way for them to request a temporary password to modify their old
one, perhaps by relating their email address with it. If their password
expires, you could automatically send or better to wait until they request,
a link in email which provides them temporary access by issuing a time link,
which will pass a temporary password without their knowledge. It could take
them to a page that requires that they now do the first suggestion of
providing old, new, confirm passwords to change. I would also generate
another email letting them know their password has been changed and to
contact someone if it was not generated by them.
Just because they go to your site doesn't mean they have to get into the
database, or it shouldn't. Asking for a password change could generate a
lookup into the database but only to verify the email address given as one
that already exists so a link could be generated that allows them temporary
access. If you want it time critical then you would store the time it was
requested after approval so they had to follow up and change their password
within that time frame or it would be expired. Whatever you have for your
maintenance could remove expired password change requests. Successful
password change requests would cleanup after themselves.
I have a similar routine I wrote for a contact form to eliminate spam. The
message is stored and an email is generated to the OP. The OP must click on
a link, with a certain time frame, or the message is deleted from the
database instead of being forward via email. The difference here is I'm
generating a random number with a random seed and storing that into the
database, generating the email and waiting for a confirmation which provides
a link that passes this information back. It them puts them into the
database to test against future correspondence from valid users. If they're
in the database and approved, I get the email. If not, they get sent an
email with a link to be approved.
HTH...
--
Roland Hall
/* This information is distributed in the hope that it will be useful, but
without any warranty; without even the implied warranty of merchantability
or fitness for a particular purpose. */
Technet Script Center -
http://www.microsoft.com/technet/scriptcenter/
WSH 5.6 Documentation -
http://msdn.microsoft.com/downloads/list/webdev.asp
MSDN Library -
http://msdn.microsoft.com/library/default.asp