Forcing member to change password on first login

Hi All,

I’m trying to set up a site so that the first time a member logs in they are forced to reset their password.

I’m using V 1.10 of the membership plugin and I’m not sure what I’m missing, but I can’t get the login  form to redirect to the reset password page, it always goes to the referring page. (Even when I comment out the referring page code below)

Thanks as always,

Jerry Kornbluth

Here’s what I’ve done so far:

In my user accounts I set up a check box called first_time_login.


I created a reset password form called cp.php that will update the first_time_login check box field to 1 when the form is submitted.

In my member login form (attached) I’ve added the following to the top of the page:

if (@$_POST['save'] == ‘1' && @$CURRENT_USER && (@$CURRENT_USER['first_time_login'] == '0' || @$CURRENT_USER['first_time_login'] == "")  ){redirectBrowserToURL(" http://50.87.248.95/~nawaflco/nawafl/cp.php"); exit;
 }
   
  if (@$CURRENT_USER && @$CURRENT_USER['first_time_login'] == 1 )                                { $errorsAndAlerts .= "You are already logged in!<br /><a href='{$GLOBALS['WEBSITE_LOGIN_POST_LOGIN_URL']}'>Click/Tap here to continue</a><br /> or <a href='?action=logoff'>Here to Log Off</a>.<br/>\n"; }
  if (!@$CURRENT_USER && @$_REQUEST['loginRequired']) { $errorsAndAlerts .= "Please login to continue.<br/>\n"; }

  // save url of referring page so we can redirect user there after login
  if (!getPrefixedCookie('lastUrl')) { setPrefixedCookie('lastUrl', @$_SERVER['HTTP_REFERER'] ); }


In the login form itself, I added:

<input type="hidden" name="save" value="1" />

The first CMS Builder reference book is now available on-line!







Take advantage of a free 3 month trial subscription, only for CMSB users, at: http://www.thecmsbcookbook.com/trial.php

By claire - January 23, 2015

Hey Jerry

I think you're going about this the wrong way. A better solution would be to let them login and get to the normal referring page, then check there if first_time_login is checked and redirect to the reset password page at that point. Then once they reset their password, you can update the record, tick that box, and redirect back to the usual login landing page.

--------------------

Claire Ryan
interactivetools.com

Save time by getting our experts to help with your project.
http://www.interactivetools.com/consulting/

Thanks Claire,

Won't I still have the same redirect issue, just one page removed?

The member logs in, gets sent to a members only page and when I check to see if they are a first time login, they still will have to be redirected to the change password page.

I'd like them to then be automatically taken back to the referring members only page

BTW did you see my post about not being able to upload a file to the forum?

Jerry

The first CMS Builder reference book is now available on-line!







Take advantage of a free 3 month trial subscription, only for CMSB users, at: http://www.thecmsbcookbook.com/trial.php

By claire - January 23, 2015

Yeah, I saw. It might be because the extension is .php_attachment or something. I'll look into it.

Making it one page removed just means the logic is a little easier to handle. You know everyone who logs in will hit this one page, and it's then just a matter of always redirecting anyone who hasn't reset their password yet to the other page.

--------------------

Claire Ryan
interactivetools.com

Save time by getting our experts to help with your project.
http://www.interactivetools.com/consulting/

OK, I'll give it a go, but it isn't really my first choice..

I don't know if you remember where I'm trying to go with this.

I was looking for a way to give members their password after an approval process that could take a while, and thought that if they chose their user name (which I can easily remind them of) and a universal password, and if they were forced to change their password the first time they logged in, that would offer an acceptable solution.

This was the reason I wanted (and still would prefer) doing the checking on the login page. It's the only page that everyone must come through for protected pages, no matter where they enter the site.

Thanks again for following up on this.

Jerry Kornbluth

The first CMS Builder reference book is now available on-line!







Take advantage of a free 3 month trial subscription, only for CMSB users, at: http://www.thecmsbcookbook.com/trial.php

By claire - January 23, 2015

Ah I see. Okay, if you need to have it go through the login page, then there are a few other options.

Off the top of my head, I think it's likely that the $CURRENT_USER is not set at the time when you're doing the check - OR that the form is processing ahead of time and redirecting to the landing page specified in the WSM plugin file before it hits the check. I'd recommend doing adding showme($CURRENT_USER); die; just before the check to see if the page is processing that far and whether the $CURRENT_USER is set as expected at that point.

Does that make sense?

--------------------

Claire Ryan
interactivetools.com

Save time by getting our experts to help with your project.
http://www.interactivetools.com/consulting/

Good thought, Claire,

It probably does have something to do with the WSM plugin.

I'll post what I find, but probably not until tomorrow.

Hopefully it will be useful to others struggling with the new password encryption security while giving management more control over a member approval process.

Jerry Kornbluth

The first CMS Builder reference book is now available on-line!







Take advantage of a free 3 month trial subscription, only for CMSB users, at: http://www.thecmsbcookbook.com/trial.php

By gkornbluth - January 24, 2015 - edited: January 24, 2015

Hi Claire,

I think I’m almost there.

After a lot of playing around, I added the following to the error checking section of the WSM plugin V 1.10 (around line 121) and it seems to work as expected:

if (@$_REQUEST['action'] == 'login')   {if (@$CURRENT_USER && (@$CURRENT_USER['first_time_login'] == '0'||@$CURRENT_USER['first_time_login'] == "")){redirectBrowserToURL("cp.php"); exit;} // if first time login redirect to change password page
else; }

As Always, I'm curious if I've created any security issues that you can see.

Thanks,

Jerry Kornbluth

The first CMS Builder reference book is now available on-line!







Take advantage of a free 3 month trial subscription, only for CMSB users, at: http://www.thecmsbcookbook.com/trial.php