Professional Web Applications Themes

Changing Expired Oracle Passwords w/ ASP - ASP Database

Hi, We have a web application where we want a user to be able to change his/her password if the password has expired but we are unable to do this with ASP (at the moment) because we can't log the user into the database without a valid password. We do not want to store any "admin" user info to connect to the database to change the users password for security issues. Does anyone have any ideas of how we could go about doing this? Any help would be greatly appreciated! Thanks, Neil...

  1. #1

    Default Changing Expired Oracle Passwords w/ ASP

    Hi,

    We have a web application where we want a user to be able to change his/her
    password if the password has expired but we are unable to do this with ASP
    (at the moment) because we can't log the user into the database without a
    valid password. We do not want to store any "admin" user info to connect to
    the database to change the users password for security issues. Does anyone
    have any ideas of how we could go about doing this? Any help would be
    greatly appreciated!

    Thanks,

    Neil


    ecPunk Guest

  2. #2

    Default Re: Changing Expired Oracle Passwords w/ ASP

    "ecPunk" wrote:
    : We have a web application where we want a user to be able to change
    his/her
    : password if the password has expired but we are unable to do this with ASP
    : (at the moment) because we can't log the user into the database without a
    : valid password. We do not want to store any "admin" user info to connect
    to
    : the database to change the users password for security issues. Does
    anyone
    : have any ideas of how we could go about doing this? Any help would be
    : greatly appreciated!

    If you keep expired passwords, you could compare, as the OS does, to request
    old password, new password, confirm new password. IMHO, it should be an SSL
    connection, eliminate possibilities for SQL injection by using a stored
    procedure, and check for referral to make sure only the requests exists from
    your site. However, if it still requires a valid password, then you'll need
    to offer a way for them to request a temporary password to modify their old
    one, perhaps by relating their email address with it. If their password
    expires, you could automatically send or better to wait until they request,
    a link in email which provides them temporary access by issuing a time link,
    which will pass a temporary password without their knowledge. It could take
    them to a page that requires that they now do the first suggestion of
    providing old, new, confirm passwords to change. I would also generate
    another email letting them know their password has been changed and to
    contact someone if it was not generated by them.

    Just because they go to your site doesn't mean they have to get into the
    database, or it shouldn't. Asking for a password change could generate a
    lookup into the database but only to verify the email address given as one
    that already exists so a link could be generated that allows them temporary
    access. If you want it time critical then you would store the time it was
    requested after approval so they had to follow up and change their password
    within that time frame or it would be expired. Whatever you have for your
    maintenance could remove expired password change requests. Successful
    password change requests would cleanup after themselves.

    I have a similar routine I wrote for a contact form to eliminate spam. The
    message is stored and an email is generated to the OP. The OP must click on
    a link, with a certain time frame, or the message is deleted from the
    database instead of being forward via email. The difference here is I'm
    generating a random number with a random seed and storing that into the
    database, generating the email and waiting for a confirmation which provides
    a link that passes this information back. It them puts them into the
    database to test against future correspondence from valid users. If they're
    in the database and approved, I get the email. If not, they get sent an
    email with a link to be approved.

    HTH...

    --
    Roland Hall
    /* This information is distributed in the hope that it will be useful, but
    without any warranty; without even the implied warranty of merchantability
    or fitness for a particular purpose. */
    Technet Script Center - [url]http://www.microsoft.com/technet/scriptcenter/[/url]
    WSH 5.6 Doentation - [url]http://msdn.microsoft.com/downloads/list/webdev.asp[/url]
    MSDN Library - [url]http://msdn.microsoft.com/library/default.asp[/url]


    Roland Hall Guest

  3. #3

    Default Re: Changing Expired Oracle Passwords w/ ASP


    "Roland Hall" <nobodynowhere> wrote in message
    news:ON1GxZa8DHA.1948TK2MSFTNGP12.phx.gbl...
    > "ecPunk" wrote:
    > : We have a web application where we want a user to be able to change
    > his/her
    > : password if the password has expired but we are unable to do this with
    ASP
    > : (at the moment) because we can't log the user into the database without
    a
    > : valid password. We do not want to store any "admin" user info to
    connect
    > to
    > : the database to change the users password for security issues. Does
    > anyone
    > : have any ideas of how we could go about doing this? Any help would be
    > : greatly appreciated!
    >
    > If you keep expired passwords, you could compare, as the OS does, to
    request
    > old password, new password, confirm new password. IMHO, it should be an
    SSL
    > connection, eliminate possibilities for SQL injection by using a stored
    > procedure, and check for referral to make sure only the requests exists
    from
    > your site. However, if it still requires a valid password, then you'll
    need
    > to offer a way for them to request a temporary password to modify their
    old
    > one, perhaps by relating their email address with it. If their password
    > expires, you could automatically send or better to wait until they
    request,
    > a link in email which provides them temporary access by issuing a time
    link,
    > which will pass a temporary password without their knowledge. It could
    take
    > them to a page that requires that they now do the first suggestion of
    > providing old, new, confirm passwords to change. I would also generate
    > another email letting them know their password has been changed and to
    > contact someone if it was not generated by them.
    >
    > Just because they go to your site doesn't mean they have to get into the
    > database, or it shouldn't. Asking for a password change could generate a
    > lookup into the database but only to verify the email address given as one
    > that already exists so a link could be generated that allows them
    temporary
    > access. If you want it time critical then you would store the time it was
    > requested after approval so they had to follow up and change their
    password
    > within that time frame or it would be expired. Whatever you have for your
    > maintenance could remove expired password change requests. Successful
    > password change requests would cleanup after themselves.
    >
    > I have a similar routine I wrote for a contact form to eliminate spam.
    The
    > message is stored and an email is generated to the OP. The OP must click
    on
    > a link, with a certain time frame, or the message is deleted from the
    > database instead of being forward via email. The difference here is I'm
    > generating a random number with a random seed and storing that into the
    > database, generating the email and waiting for a confirmation which
    provides
    > a link that passes this information back. It them puts them into the
    > database to test against future correspondence from valid users. If
    they're
    > in the database and approved, I get the email. If not, they get sent an
    > email with a link to be approved.
    >
    > HTH...

    After reading my post a bit more clearly, it would seem that I wrote it a
    bit too quickly and
    wasn't too clear on exactly what i meant. We are using actual Oracle users
    to log into the
    database rather than using a users table, etc. And it's here where the
    problem lies, we can
    not get into the database to store the user's password when it expires
    because it is not a valid
    login if the user's account is expired.

    I appreciate your suggestions though Roland, thank you!

    Neil


    ecPunk Guest

  4. #4

    Default Re: Changing Expired Oracle Passwords w/ ASP

    "ecPunk" wrote:
    : After reading my post a bit more clearly, it would seem that I wrote it a
    : bit too quickly and
    : wasn't too clear on exactly what i meant. We are using actual Oracle
    users
    : to log into the
    : database rather than using a users table, etc. And it's here where the
    : problem lies, we can
    : not get into the database to store the user's password when it expires
    : because it is not a valid
    : login if the user's account is expired.
    :
    : I appreciate your suggestions though Roland, thank you!

    Hey Neil...

    Thanks for responding.

    If you use an unknown account that has privs, you can provide a link,
    request the information and with server-side code allow that account to make
    the changes for them. They input the old password and new password with a
    confirm. It looks in the database and retrieves the old password, and it
    compares. If successful and the new password and confirm fields match each
    other, then it changes the password for the user and notifies them of its
    success. Now that I think about it, I'd ask for the username also, and
    compare one exists. It sounds like a simple process to me.

    Are you telling me you cannot retrieve a list of users from the database?

    --
    Roland Hall
    /* This information is distributed in the hope that it will be useful, but
    without any warranty; without even the implied warranty of merchantability
    or fitness for a particular purpose. */
    Technet Script Center - [url]http://www.microsoft.com/technet/scriptcenter/[/url]
    WSH 5.6 Doentation - [url]http://msdn.microsoft.com/downloads/list/webdev.asp[/url]
    MSDN Library - [url]http://msdn.microsoft.com/library/default.asp[/url]


    Roland Hall Guest

Similar Threads

  1. Clear text passwords and Oracle - arrrrrrgh - please help!
    By John Smith in forum ASP.NET Web Services
    Replies: 1
    Last Post: July 18th, 08:19 PM
  2. Replies: 2
    Last Post: April 11th, 03:47 PM
  3. #13053 [Com]: oci8 error, this kill oracle-prosseces in the oracle-instance.
    By gid at gifpaste dot net in forum PHP Development
    Replies: 0
    Last Post: November 20th, 06:51 PM
  4. Replies: 0
    Last Post: July 18th, 05:04 AM
  5. Oracle 8i + changing language
    By Beserko in forum Oracle Server
    Replies: 2
    Last Post: January 5th, 06:37 AM

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 135 136 137 138 139