logo

Change Password Forms - As They Should Be

Yesterday I knocked together a password management page for an ASP.NET web application I've been working on.

Nothing special. Just the kind of thing any average web user would expect of a website. Most importantly, that any password change is instant. As is access after an initial registration. More than can be said of Domino.

It was always with huge professional embarrassment that I found myself having to add messages to an already-hacked version of Domino's change password form that said something along the lines of:

Your password has been changed. While this may take effect immediately, please allow up to 24 hours for this change to take place. If you find yourself unable to use your new password straight-away please continue to use your old one until it stops working, at which point you should switch to your new one.

No, seriously, I had to add that to a Domino website! Lord knows what users who read it must have thought.

Now I know there are things you can try and do to help prevent the caching of passwords in Domino, but I don't really relish the idea of calling view refreshes on the address book or whatever it is you need to do. And it misses the point that I really shouldn't have to.

Part of me always thought this would get addressed in Domino at some point, but, unless I've missed something, it's just another aspect of Domino that's gone without attention for what must be 10+ years.

So, you can imagine how nice it felt yesterday to finally have the complete control I've always wanted over things like this. Sure, I had to create the Users table in SQL and create the registration process from scratch (things that using Domino means I don't have to do), but I'd happily spend a day of my time at no cost adding my own processes, just so I know I can make a website that works like it ought to.

Comments

    • avatar
    • Paul
    • Fri 8 Oct 2010 03:47 AM

    Jake,

    Have you looked into .net membership? Nearly everything you need with little effort to setup. Possibly overkill for a simple system though...

    1. Yep i'll back the .net Membership schema here. Very easy to implement, secure by default (all passwords etc are encrypted and salted etc.) and provides just about everything you need for a login screen etc.

  1. Hi Jake

    Just so you know, you can change the password cache on the server so it takes place immediately (or when you wish)

    HTTP_PWD_CHANGE_CACHE_HOURS=N

      • avatar
      • Jake Howlett
      • Fri 8 Oct 2010 05:31 AM

      And N can be 0? And it works? Like, actually works?

      What about newly created Person documents from scripts - does the ini setting cover that?

      Show the rest of this thread

    1. Nice one, didn't know such existed, thanks!

  2. "I don't really relish the idea of calling view refreshes on the address book or whatever it is you need to do."

    Ummm... why not?

      • avatar
      • Sagar
      • Fri 8 Oct 2010 09:34 AM

      1. because its more than 10 years and IBM failed to provide right solution to such basic and important issue.

      2. It may slow down for large views when you have continuous update to person documents such as in a public website where users can self register and manage their user profiles.

      Show the rest of this thread

    • avatar
    • Craig Boudreaux
    • Fri 8 Oct 2010 09:29 AM

    2 comments:

    1) I have applications that have been doing the recommended view refresh thing for almost 10 years on the password change, and all has been fine. Will look into @Paul's password cache thing though.

    2) You mean don't like doing things you shouldn't have to do more than having to do 'other' (more time intensive) things you shouldn't have to do? And is that application security you wrote in a day as secure as what Domino has out of the box?

    • avatar
    • Aaron Hardin
    • Fri 8 Oct 2010 10:33 AM

    Hey Jake

    I know that you are pretty busy now, but I would like to see how you build your controls with ASP or PHP. Just if you are looking for a new topic :)

  3. +1 for .NET membership btw - although personally the schema as it comes out of the box isn't to my liking, but it's easy to modify and create your own re-usable customised provider which will happily work with WebForms/MVC/whatever.

    +1 as well for not enjoying telling Domino customers in the past "Wellllll you've changed your password, but it takes a while to update on the server.. why? Wellll....."

    • avatar
    • Erwin
    • Mon 11 Oct 2010 06:26 AM

    Can you reassure me that your blog is not sponsored?

    I totally agree with Craig Boudreaux.

      • avatar
      • Jake Howlett
      • Mon 11 Oct 2010 07:40 AM

      Damn, I've been rumbled. This site has been sponsored by Microsoft all along. I can't believe it took 10 years for somebody to notice.

      Show the rest of this thread

Your Comments

Name:
E-mail:
(optional)
Website:
(optional)
Comment:


About This Page

Written by Jake Howlett on Fri 8 Oct 2010

Share This Page

# ( ) '

Comments

The most recent comments added:

Skip to the comments or add your own.

You can subscribe to an individual RSS feed of comments on this entry.

Let's Get Social


About This Website

CodeStore is all about web development. Concentrating on Lotus Domino, ASP.NET, Flex, SharePoint and all things internet.

Your host is Jake Howlett who runs his own web development company called Rockall Design and is always on the lookout for new and interesting work to do.

You can find me on Twitter and on Linked In.

Read more about this site »

More Content