Changing Expired Oracle Passwords w/ ASP

[ecPunk]

Hi,

We have a web application where we want a user to be able to change his/her
password if the password has expired but we are unable to do this with ASP
(at the moment) because we can't log the user into the database without a
valid password. We do not want to store any "admin" user info to connect to
the database to change the users password for security issues. Does anyone
have any ideas of how we could go about doing this? Any help would be
greatly appreciated!

Thanks,

Neil

[Roland Hall]

"ecPunk" wrote:
: We have a web application where we want a user to be able to change
his/her
: password if the password has expired but we are unable to do this with ASP
: (at the moment) because we can't log the user into the database without a
: valid password. We do not want to store any "admin" user info to connect
to
: the database to change the users password for security issues. Does
anyone
: have any ideas of how we could go about doing this? Any help would be
: greatly appreciated!

If you keep expired passwords, you could compare, as the OS does, to request
old password, new password, confirm new password. IMHO, it should be an SSL
connection, eliminate possibilities for SQL injection by using a stored
procedure, and check for referral to make sure only the requests exists from
your site. However, if it still requires a valid password, then you'll need
to offer a way for them to request a temporary password to modify their old
one, perhaps by relating their email address with it. If their password
expires, you could automatically send or better to wait until they request,
a link in email which provides them temporary access by issuing a time link,
which will pass a temporary password without their knowledge. It could take
them to a page that requires that they now do the first suggestion of
providing old, new, confirm passwords to change. I would also generate
another email letting them know their password has been changed and to
contact someone if it was not generated by them.

Just because they go to your site doesn't mean they have to get into the
database, or it shouldn't. Asking for a password change could generate a
lookup into the database but only to verify the email address given as one
that already exists so a link could be generated that allows them temporary
access. If you want it time critical then you would store the time it was
requested after approval so they had to follow up and change their password
within that time frame or it would be expired. Whatever you have for your
maintenance could remove expired password change requests. Successful
password change requests would cleanup after themselves.

I have a similar routine I wrote for a contact form to eliminate spam. The
message is stored and an email is generated to the OP. The OP must click on
a link, with a certain time frame, or the message is deleted from the
database instead of being forward via email. The difference here is I'm
generating a random number with a random seed and storing that into the
database, generating the email and waiting for a confirmation which provides
a link that passes this information back. It them puts them into the
database to test against future correspondence from valid users. If they're
in the database and approved, I get the email. If not, they get sent an
email with a link to be approved.

HTH...

--
Roland Hall
/* This information is distributed in the hope that it will be useful, but
without any warranty; without even the implied warranty of merchantability
or fitness for a particular purpose. */
Technet Script Center - [url]http://www.microsoft.com/technet/scriptcenter/[/url]
WSH 5.6 Documentation - [url]http://msdn.microsoft.com/downloads/list/webdev.asp[/url]
MSDN Library - [url]http://msdn.microsoft.com/library/default.asp[/url]

[ecPunk]

"Roland Hall" <nobody@nowhere> wrote in message
news:ON1GxZa8DHA.1948@TK2MSFTNGP12.phx.gbl...

> "ecPunk" wrote:
> : We have a web application where we want a user to be able to change
> his/her
> : password if the password has expired but we are unable to do this with

ASP

> : (at the moment) because we can't log the user into the database without

a

> : valid password. We do not want to store any "admin" user info to

connect

> to
> : the database to change the users password for security issues. Does
> anyone
> : have any ideas of how we could go about doing this? Any help would be
> : greatly appreciated!
>
> If you keep expired passwords, you could compare, as the OS does, to

request

> old password, new password, confirm new password. IMHO, it should be an

SSL

> connection, eliminate possibilities for SQL injection by using a stored
> procedure, and check for referral to make sure only the requests exists

from

> your site. However, if it still requires a valid password, then you'll

need

> to offer a way for them to request a temporary password to modify their

old

> one, perhaps by relating their email address with it. If their password
> expires, you could automatically send or better to wait until they

request,

> a link in email which provides them temporary access by issuing a time

link,

> which will pass a temporary password without their knowledge. It could

take

> them to a page that requires that they now do the first suggestion of
> providing old, new, confirm passwords to change. I would also generate
> another email letting them know their password has been changed and to
> contact someone if it was not generated by them.
>
> Just because they go to your site doesn't mean they have to get into the
> database, or it shouldn't. Asking for a password change could generate a
> lookup into the database but only to verify the email address given as one
> that already exists so a link could be generated that allows them

temporary

> access. If you want it time critical then you would store the time it was
> requested after approval so they had to follow up and change their

password

> within that time frame or it would be expired. Whatever you have for your
> maintenance could remove expired password change requests. Successful
> password change requests would cleanup after themselves.
>
> I have a similar routine I wrote for a contact form to eliminate spam.

The

> message is stored and an email is generated to the OP. The OP must click

on

> a link, with a certain time frame, or the message is deleted from the
> database instead of being forward via email. The difference here is I'm
> generating a random number with a random seed and storing that into the
> database, generating the email and waiting for a confirmation which

provides

> a link that passes this information back. It them puts them into the
> database to test against future correspondence from valid users. If

they're

> in the database and approved, I get the email. If not, they get sent an
> email with a link to be approved.
>
> HTH...

After reading my post a bit more clearly, it would seem that I wrote it a
bit too quickly and
wasn't too clear on exactly what i meant. We are using actual Oracle users
to log into the
database rather than using a users table, etc. And it's here where the
problem lies, we can
not get into the database to store the user's password when it expires
because it is not a valid
login if the user's account is expired.

I appreciate your suggestions though Roland, thank you!

Neil

[Roland Hall]

"ecPunk" wrote:
: After reading my post a bit more clearly, it would seem that I wrote it a
: bit too quickly and
: wasn't too clear on exactly what i meant. We are using actual Oracle
users
: to log into the
: database rather than using a users table, etc. And it's here where the
: problem lies, we can
: not get into the database to store the user's password when it expires
: because it is not a valid
: login if the user's account is expired.
:
: I appreciate your suggestions though Roland, thank you!

Hey Neil...

Thanks for responding.

If you use an unknown account that has privs, you can provide a link,
request the information and with server-side code allow that account to make
the changes for them. They input the old password and new password with a
confirm. It looks in the database and retrieves the old password, and it
compares. If successful and the new password and confirm fields match each
other, then it changes the password for the user and notifies them of its
success. Now that I think about it, I'd ask for the username also, and
compare one exists. It sounds like a simple process to me.

Are you telling me you cannot retrieve a list of users from the database?

--
Roland Hall
/* This information is distributed in the hope that it will be useful, but
without any warranty; without even the implied warranty of merchantability
or fitness for a particular purpose. */
Technet Script Center - [url]http://www.microsoft.com/technet/scriptcenter/[/url]
WSH 5.6 Documentation - [url]http://msdn.microsoft.com/downloads/list/webdev.asp[/url]
MSDN Library - [url]http://msdn.microsoft.com/library/default.asp[/url]