7 Replies Latest reply on May 31, 2017 12:26 PM by richard.ronnback@publishingkonsult.se

    Suggestions for web direct compatible password reset mail?

    richard.ronnback@publishingkonsult.se

      I have set up a database which external users access using web direct. Each user has a proper FileMaker account and all security is done with a custom privilege set, so the user is able to login using web direct's standard login.

       

      We are ok that users login with a blank password first time, but I haven't figured out a simple, and secure, way to allow the user to reset the password, if they have forgotten it (which they will). We do have their mail adress stored in the database.

       

      I know I can do it with php and cwp, but I rather would not, if there is a feasible way of achieving the goal, allowing each user to securily retrieve and/or reset their password, when they have forgotten it.

       

      All suggestions are most welcome.

        • 1. Re: Suggestions for web direct compatible password reset mail?
          mikebeargie

          Send Mail as SMTP is a PSoS compatible script step. As are the account management script steps.

           

          If I were doing this, I would script the following:

           

          1) Never allow the user to retrieve, only reset a password

          2) Reset their password with a temporary password that is sent via email

          3) Require that user change their password when logging in next

           

          Something like this (assuming you have the username in a global field) may look like:


          Script: Request Temporary Password (Client Side)

          If [ isempty ( globalfield ) ]

             Show Custom Dialog [ "ERROR" ; "Username is required" ]

          Else

             Perform Script on Server [ Send Temporary Password ; Parameter: globalfield ; wait for completion ]

             If [ Get(ScriptResult) = "Error" ]

                Show Custom Dialog [ "ERROR" ; "Unable to reset password, contact administrator" ]

             Else

               Show Custom Dialog [ "Email Sent" ; "Please check your email for a temporary password. If you did not receive this email, contact an administrator." ]

             End If

          End If

           

          Script: Send Temporary Password

          If [ isempty ( Get(ScriptParameter) ) ]

             Exit Script [ Result: "Error" ]

          End If

           

          Enter Find Mode [ no pause ]

          Go To Layout [ users ]

          Set Field [ users::username ; "==" & Get(ScriptParameter) ]

          Perform Find

          If [ Get(LastError) = 401 or Get(FoundCount) > 1 ]

             Exit Script [ Result: "Error" ]

          End If

           

          Set Variable [ $email ; users::email ]

          Set Variable [ $pass ; //Generate a random password here somehow ]

           

          Reset Account Password [ Get(ScriptParameter) ; $pass ; EXPIRE/Require Change ]

          If [ Get(LastError) <> 0 ]

            Exit Script [ Result: "Error" ]

          End If

           

          Send Mail [ SMTP Server ; To:  $email ; Subject: "Password Reset" ; Body: "Your temporary password is: " & $pass ]

           

          Exit Script [ True ]

           

          Reference for the account-based script steps:

          Accounts script steps

          • 2. Re: Suggestions for web direct compatible password reset mail?
            mikebeargie

            You can also make this much more complex, like requiring the user keys in the answer to a security question that is validated in the PSoS script.

            • 3. Re: Suggestions for web direct compatible password reset mail?
              beverly

              So with not being able to login, how/when is this script called on Web Direct? What permissions on the PSoS?

              Thanks.

               

              Sent from miPhone

              • 4. Re: Suggestions for web direct compatible password reset mail?
                mikebeargie

                The above would require:

                 

                1) An auto-login account for the file with severely restricted access to only a login page and access to the global table.

                2) Escalation to full access privileges for the server script.

                3) Careful consideration on if this should even be utilized (thinking out ways it could be exploited and if they can be combated).

                 

                Re-Login is one of the available script steps, attaching that to a button will allow users to login with their filemaker account and access the rest of the system from the restricted auto-login page.

                 

                Until FileMaker builds in a forgot password feature (see Product Ideas and suggest it!), then you're at the mercy of what you can build, or just training an admin to respond to reset requests manually.

                • 5. Re: Suggestions for web direct compatible password reset mail?
                  richard.ronnback@publishingkonsult.se

                  Hi Mike,

                   

                  Thanks for your very detailed reply, that is much appreciated

                   

                  So if I understand you correctly, the core of your approach is

                   

                  1) An auto login account, that basically only a is allowed to do two things, either a re-login, with known credentials, or. a reset and send password script, when the user only can supply the user name.

                   

                  That will work, the only (theoretical) problem I can see is that a non-authorized user then potentially can reset any users password, provided they have knowledge of user names

                   

                  I practice I don't think it will ever happen, but I am just trying to think before doing

                  • 6. Re: Suggestions for web direct compatible password reset mail?
                    mikebeargie

                    Generally correct, see my follow-up to bev where I suggested #3 “consider even using it”. It IS an option, whether the right one is up to you.

                     

                    Personally, I prefer manual account management, but I can see why this can be an issue if there isn’t a strong candidate for an admin in the user group.

                     

                    Since it does reset the password to a temporary one, that is a risk. However since you are storing the email it goes to in a restricted way, at least you have a basic separation for security. Usually people put a “if you did not request this email, contact ____ immediately” message so that users can warn administrators of a potential unauthorized attempt.

                    • 7. Re: Suggestions for web direct compatible password reset mail?
                      richard.ronnback@publishingkonsult.se

                      Thanks Mike. I will give it thought and test it. Compared to the level of the security they have in the previous  solution everything will be  a big step forward.