Copied to clipboard

Flag this post as spam?

This post will be reported to the moderators as potential spam to be looked at


  • Sebastian Dammark 554 posts 1294 karma points
    May 14, 2019 @ 09:17
    Sebastian Dammark
    0

    Member password renewal

    I have a client who has a lot of members that needs to renew their password every 2 weeks.

    They want to notify the member 4 days before expiration.

    And if not updated before expiration the member should be disabled and notified.

    Any ideas how to obtain this ?

  • Richard Soeteman 3943 posts 12362 karma points MVP
    May 14, 2019 @ 10:37
    Richard Soeteman
    0

    Sounds like a fun project, don't knowif it work with people going on holiday for three weeks ;-)

    But I would (I think):

    • Create a custom table that can store at least the member id, hashed password and expiration date.
    • When a member is saved check password with the custom table. When that is changed update the expiration date and hashed password.
    • Create a scheduled task that polls the custom tables and either send an email 4 days before expiration, or disable and notify the member.

    Hope this helps,

    Richard

  • Sebastiaan Janssen 4971 posts 14974 karma points MVP admin hq
    May 14, 2019 @ 12:20
    Sebastiaan Janssen
    1

    I hate to be that guy, but make sure to read up on this requirement, you can advise them that this actually LOWERS security instead of increasing it.

    If they want to be more secure:

    • Run everything on https
    • Enforce long passwords (at least 12 characters)
    • Invest in a password manager that can create a random, unique password for them
    • Investigate investing in 2 factor authentication

    Here's an excellent article with great advise: https://www.troyhunt.com/passwords-evolved-authentication-guidance-for-the-modern-era/

  • Trevor Husseini 18 posts 149 karma points
    Feb 12, 2021 @ 01:02
    Trevor Husseini
    0

    I'd be curious to hear Sabastiaan's personal argument as to why custom password policies would lower the security in regards to Umbraco's Backoffice. Like, Sabastian, I too have a client that is requesting custom rules and unfortunately they can't be persuaded into a different solution. Though I can create a custom .NET membership provider, I can't hook into Umbraco v8 the same as I did in v7 which means I can't offer the same experience to Backoffice users.

    For example, in v7, you could attach event handlers to requests by implementing IHttpModule. In doing so, the Init method gains access to the HttpApplication and you can isolate requests made to Umbraco's API by URL. This allowed us to rewrite URLs and ultimately hide sections and dashboards when the user's current password no longer met the requirements. We would then leave only a custom password change form section visible.

    In v8, I've been able to hook into the UserService.SavingUser to capture information about the last time the user logged in, however, I'm not finding a way to alter the sections and dashboards. A section service does not exist in this version because it "has become unnecessary" and the ApplicationTreeService has been deprecated.

    Ultimately, I'm looking to answer the question "is there a way to override the requests to '/umbraco/backoffice/umbracoapi/section/getsections' and '/umbraco/backoffice/umbracoapi/dashboard/getdashboard'?

  • Trevor Husseini 18 posts 149 karma points
    16 days ago
    Trevor Husseini
    0

    Sebastian,

    I know this response is late and the problem has probably already been solved but I want to direct you to this post because we had similar requirements

    If I were tasked with this problem, I'd leverage Sebastiaan's Umbraco/Hangfire solution. Create a task that runs say once an hour that compares all users' (lastPasswordChangeDate + 10 days) in the umbracoUser table to the current date/time. If they're roughly equal, send them a reminder that they're password is expiring in ~4 days. I'd then create a separate task that disables and notifies users whose passwords were last changed 2 weeks or more ago. To disable the user, I'd set the userDisabled and userNoConsole bits in the umbracoUser table high.

    Hope this helps!

Please Sign in or register to post replies

Write your reply to:

Draft