Changing Expired Oracle Passwords w/ ASP

Discussion in 'ASP General' started by ecPunk, Feb 12, 2004.

  1. ecPunk

    ecPunk Guest

    Hi,

    We have a web application where we want a user to be able to change his/her
    password if the password has expired but we are unable to do this with ASP
    (at the moment) because we can't log the user into the database without a
    valid password. We do not want to store any "admin" user info to connect to
    the database to change the users password for security issues. Does anyone
    have any ideas of how we could go about doing this? Any help would be
    greatly appreciated!

    Thanks,

    Neil
     
    ecPunk, Feb 12, 2004
    #1
    1. Advertising

  2. ecPunk

    Roland Hall Guest

    "ecPunk" wrote:
    : We have a web application where we want a user to be able to change
    his/her
    : password if the password has expired but we are unable to do this with ASP
    : (at the moment) because we can't log the user into the database without a
    : valid password. We do not want to store any "admin" user info to connect
    to
    : the database to change the users password for security issues. Does
    anyone
    : have any ideas of how we could go about doing this? Any help would be
    : greatly appreciated!

    If you keep expired passwords, you could compare, as the OS does, to request
    old password, new password, confirm new password. IMHO, it should be an SSL
    connection, eliminate possibilities for SQL injection by using a stored
    procedure, and check for referral to make sure only the requests exists from
    your site. However, if it still requires a valid password, then you'll need
    to offer a way for them to request a temporary password to modify their old
    one, perhaps by relating their email address with it. If their password
    expires, you could automatically send or better to wait until they request,
    a link in email which provides them temporary access by issuing a time link,
    which will pass a temporary password without their knowledge. It could take
    them to a page that requires that they now do the first suggestion of
    providing old, new, confirm passwords to change. I would also generate
    another email letting them know their password has been changed and to
    contact someone if it was not generated by them.

    Just because they go to your site doesn't mean they have to get into the
    database, or it shouldn't. Asking for a password change could generate a
    lookup into the database but only to verify the email address given as one
    that already exists so a link could be generated that allows them temporary
    access. If you want it time critical then you would store the time it was
    requested after approval so they had to follow up and change their password
    within that time frame or it would be expired. Whatever you have for your
    maintenance could remove expired password change requests. Successful
    password change requests would cleanup after themselves.

    I have a similar routine I wrote for a contact form to eliminate spam. The
    message is stored and an email is generated to the OP. The OP must click on
    a link, with a certain time frame, or the message is deleted from the
    database instead of being forward via email. The difference here is I'm
    generating a random number with a random seed and storing that into the
    database, generating the email and waiting for a confirmation which provides
    a link that passes this information back. It them puts them into the
    database to test against future correspondence from valid users. If they're
    in the database and approved, I get the email. If not, they get sent an
    email with a link to be approved.

    HTH...

    --
    Roland Hall
    /* This information is distributed in the hope that it will be useful, but
    without any warranty; without even the implied warranty of merchantability
    or fitness for a particular purpose. */
    Technet Script Center - http://www.microsoft.com/technet/scriptcenter/
    WSH 5.6 Documentation - http://msdn.microsoft.com/downloads/list/webdev.asp
    MSDN Library - http://msdn.microsoft.com/library/default.asp
     
    Roland Hall, Feb 12, 2004
    #2
    1. Advertising

  3. ecPunk

    ecPunk Guest

    "Roland Hall" <nobody@nowhere> wrote in message
    news:...
    > "ecPunk" wrote:
    > : We have a web application where we want a user to be able to change
    > his/her
    > : password if the password has expired but we are unable to do this with

    ASP
    > : (at the moment) because we can't log the user into the database without

    a
    > : valid password. We do not want to store any "admin" user info to

    connect
    > to
    > : the database to change the users password for security issues. Does
    > anyone
    > : have any ideas of how we could go about doing this? Any help would be
    > : greatly appreciated!
    >
    > If you keep expired passwords, you could compare, as the OS does, to

    request
    > old password, new password, confirm new password. IMHO, it should be an

    SSL
    > connection, eliminate possibilities for SQL injection by using a stored
    > procedure, and check for referral to make sure only the requests exists

    from
    > your site. However, if it still requires a valid password, then you'll

    need
    > to offer a way for them to request a temporary password to modify their

    old
    > one, perhaps by relating their email address with it. If their password
    > expires, you could automatically send or better to wait until they

    request,
    > a link in email which provides them temporary access by issuing a time

    link,
    > which will pass a temporary password without their knowledge. It could

    take
    > them to a page that requires that they now do the first suggestion of
    > providing old, new, confirm passwords to change. I would also generate
    > another email letting them know their password has been changed and to
    > contact someone if it was not generated by them.
    >
    > Just because they go to your site doesn't mean they have to get into the
    > database, or it shouldn't. Asking for a password change could generate a
    > lookup into the database but only to verify the email address given as one
    > that already exists so a link could be generated that allows them

    temporary
    > access. If you want it time critical then you would store the time it was
    > requested after approval so they had to follow up and change their

    password
    > within that time frame or it would be expired. Whatever you have for your
    > maintenance could remove expired password change requests. Successful
    > password change requests would cleanup after themselves.
    >
    > I have a similar routine I wrote for a contact form to eliminate spam.

    The
    > message is stored and an email is generated to the OP. The OP must click

    on
    > a link, with a certain time frame, or the message is deleted from the
    > database instead of being forward via email. The difference here is I'm
    > generating a random number with a random seed and storing that into the
    > database, generating the email and waiting for a confirmation which

    provides
    > a link that passes this information back. It them puts them into the
    > database to test against future correspondence from valid users. If

    they're
    > in the database and approved, I get the email. If not, they get sent an
    > email with a link to be approved.
    >
    > HTH...



    After reading my post a bit more clearly, it would seem that I wrote it a
    bit too quickly and
    wasn't too clear on exactly what i meant. We are using actual Oracle users
    to log into the
    database rather than using a users table, etc. And it's here where the
    problem lies, we can
    not get into the database to store the user's password when it expires
    because it is not a valid
    login if the user's account is expired.

    I appreciate your suggestions though Roland, thank you!

    Neil
     
    ecPunk, Feb 13, 2004
    #3
  4. ecPunk

    Roland Hall Guest

    "ecPunk" wrote:
    : After reading my post a bit more clearly, it would seem that I wrote it a
    : bit too quickly and
    : wasn't too clear on exactly what i meant. We are using actual Oracle
    users
    : to log into the
    : database rather than using a users table, etc. And it's here where the
    : problem lies, we can
    : not get into the database to store the user's password when it expires
    : because it is not a valid
    : login if the user's account is expired.
    :
    : I appreciate your suggestions though Roland, thank you!

    Hey Neil...

    Thanks for responding.

    If you use an unknown account that has privs, you can provide a link,
    request the information and with server-side code allow that account to make
    the changes for them. They input the old password and new password with a
    confirm. It looks in the database and retrieves the old password, and it
    compares. If successful and the new password and confirm fields match each
    other, then it changes the password for the user and notifies them of its
    success. Now that I think about it, I'd ask for the username also, and
    compare one exists. It sounds like a simple process to me.

    Are you telling me you cannot retrieve a list of users from the database?

    --
    Roland Hall
    /* This information is distributed in the hope that it will be useful, but
    without any warranty; without even the implied warranty of merchantability
    or fitness for a particular purpose. */
    Technet Script Center - http://www.microsoft.com/technet/scriptcenter/
    WSH 5.6 Documentation - http://msdn.microsoft.com/downloads/list/webdev.asp
    MSDN Library - http://msdn.microsoft.com/library/default.asp
     
    Roland Hall, Feb 14, 2004
    #4
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. Anonymous User
    Replies:
    0
    Views:
    361
    Anonymous User
    Jul 9, 2005
  2. Christine Eliot

    Changing Machine Account Passwords via .NET

    Christine Eliot, Nov 17, 2005, in forum: ASP .Net
    Replies:
    0
    Views:
    392
    Christine Eliot
    Nov 17, 2005
  3. Replies:
    2
    Views:
    2,659
    Nigel Wade
    Feb 17, 2006
  4. TP
    Replies:
    1
    Views:
    357
    Tad McClellan
    Oct 23, 2003
  5. Feyruz
    Replies:
    4
    Views:
    2,197
    Sherm Pendley
    Oct 14, 2005
Loading...

Share This Page