logo

Online Password Management

The last time I had a requirement to allow users to change passwords in the browser it was the R5 days. Back then it was still a case of us building a front-end to an agent that updated the HTTPPassword field in the user's NAB entry. The trouble with this approach being that it was anybody's guess when the change would take effect.

Web users, quite rightly, expect the change password feature to work in the same way on any site and on most sites it does. On Domino sites it's not as easy, but it seems to be getting there. The need for a change password feature has come my way again. This time it's Domino 6.5. How have things changed? Let's see.

Well, we can create custom login forms and even custom change password forms. The domcfg.nsf database allows us a lot of control. Is it enough control though?

My initial tests with the change password form show that it works, but in an odd way. The new and old passwords both work. You can log in with either. Also, if you want to change password again, straightaway, it's the old one you need to put in the change password form. Confusion ahoy.

Something else I need to do is force users to choose a 6+ character alphanumeric password. I can't see any way of doing this, even with Policy documents. The change password and password changed forms don't allow WQS/O agents, so I can't add my own logic and JavaScript is not allowed. On top of all this I also need to force users to change password on first login. For this there's a field in the Person document called "HTTPPasswordForceChange". I've tried using it but it doesn't seem to work.

I wanted to achieve all of this using standard (or maybe slightly tweaked) Domino forms and features. Instead it's starting to look more likely that still, all these years on, I need to write my own code to do it all. Surely I'm not the first person who has needed to achieve this (basic!) functionality. Anybody?

Comments

    • avatar
    • Ben
    • Wed 30 Nov 2005 04:14 AM

    Jake,

    We have some code (I think it originally came from the sandbox) that forces the server to update a password change immediately, i.e. so there is no 15 minute wait for it to take effect. I can send it to you, if you like.

    Ben

  1. Refresh these views. Should make sure that the changed password has effect immediately:

    ($Users)

    ($LDAPCN)

    ($ServerAccess)

    ($Groups)

    I _think_ that both the old and the new password will work for some time because of caching of the old password.

    • avatar
    • Jake
    • Wed 30 Nov 2005 05:35 AM

    I am doing some digging around the help files and finding some interesting stuff. E.g:

    "You can use either your old Internet password or your new Internet password for two days after you submit a new password, provided the server you authenticate with, or HTTP, is not shut down. Otherwise, you must use your new Internet password. "

  2. Jake, the ini parameter "HTTP_PWD_CHANGE_CACHE_HOURS" sets how long the Domino server holds onto the old password.

    • avatar
    • Ian B
    • Wed 30 Nov 2005 06:40 AM

    Not much help, but we used IIS as the http_server and used htma to change the passwords. actually worked quite well.

    Could you not use a fake form to submit the change request to the change password form, therefore allowing you to use built-in length policies?

  3. BTW, Ian has the right idea, I will most likely be creating a password management tool that uses a custom form where I can control all settings, and have an end process that creates the adminp form.

    • avatar
    • Jake
    • Wed 30 Nov 2005 07:30 AM

    Ian/Jeff. This is what I am <s>wasting</s> spending my time on at the moment: my own front-end to the adminp password change function. It's almost there, just trying to validate alphanumericalness of the password with the Like operator in LS. More tomorrow...

  4. I thought that refreshing the views that Jens Brnutt mentions AND sending a "tell adminp process interval" command to the server does the trick... Maybe I am wrong...

  5. Sub Initialize

    Dim session As New NotesSession

    Dim books As Variant

    Dim view As NotesView

    Dim persondoc As NotesDocument

    Dim doc As NotesDocument

    Dim done As Variant

    Dim person As String

    books = session.AddressBooks

    Set doc = session.DocumentContext

    done = False

    person = doc.fldComputedUserName(0)

    'check all Domino Directory,

    Forall b In books

    If ( b.IsPublicAddressBook ) And ( Not done ) Then

    Call b.Open( "", "" )

    ' find user in $Users view

    Set view = b.GetView( "($Users)" )

    Set persondoc = view.GetDocumentByKey( person )

    ' if find then change

    If Not ( persondoc Is Nothing ) Then

    persondoc.HTTPpassword = doc.fldClientPasswordEnc(0)

    Call persondoc.Save(True,False)

    Call view.refresh

    done = True

    End If

    End If

    End Forall

    End Sub

    • avatar
    • jm
    • Thu 1 Dec 2005 10:11 AM

    to get it i :

    - edit the doc in a frameset,

    - modify post target to submit in a 0 pixel frame,

    -then server side $$return javascrit (!!) window.close (if ok) or alert msgerr (if wrong)

  6. I send the following console command whenever a new password is generated/changed: show nlcache reset

    This allows the new password to be available immediately by refreshing the name-lookup cache.

    I hope this helps even though it is a bit late.

    • avatar
    • lih
    • Mon 18 May 2009 02:53 AM

    I want to ask a question, "HTTP_PWD_CHANGE_CACHE_HOURS",this argument in notes.ini, this defult value is ??

Your Comments

Name:
E-mail:
(optional)
Website:
(optional)
Comment:


About This Page

Written by Jake Howlett on Wed 30 Nov 2005

Share This Page

# ( ) '

Comments

The most recent comments added:

Skip to the comments or add your own.

You can subscribe to an individual RSS feed of comments on this entry.

Let's Get Social


About This Website

CodeStore is all about web development. Concentrating on Lotus Domino, ASP.NET, Flex, SharePoint and all things internet.

Your host is Jake Howlett who runs his own web development company called Rockall Design and is always on the lookout for new and interesting work to do.

You can find me on Twitter and on Linked In.

Read more about this site »

Elsewhere

Here are the external links posted on the same day.

More links are available in the archive »

More Content