'Forgot Password ?'

[Friend33]

Hi Friends,

Need to provide 'Forgot Password ?' functionality at the login page.

If user selects this option then a password reset will be done by the system and a new password will be mailed to the e-mail address held against the users account in a Oracle table.

My query is how to generate a new password when we click
'Forgot Password' ?

Can someone tell me asto how to generate a new password using Oracle's features ?

Thank You,

Friend

 

[Thargy]

friend,

in true Blue Peter fashion, here's one I prepared earlier

/******************************************************************************
******************************************************************************/
   PROCEDURE reset_password (
      p_username           IN   authentication_info.user_name%TYPE,
      generated_password   IN   VARCHAR2
   )
   IS
      ddl_string   VARCHAR2 (100);
   BEGIN
      ddl_string :=
         'ALTER USER ' || p_username || ' IDENTIFIED BY '
         || generated_password;

      EXECUTE IMMEDIATE ddl_string;
   END reset_password;

/******************************************************************************
******************************************************************************/

Note that the account running this requires alter user privilege. The two IN parameters are user name and the new password. They are references peculiar to my system, so change them to suit your own purposes.

Note that because you now have a 'wild' password (since it's been E-Mailed out to the user) you should expire the account, so that the user has to change password at the next logon.

Regards

Tharg

Grinding away at things Oracular

 

[Friend33]

Thank You, Thargtheslayer

 

[Friend33]

Hi Thargtheslayer,

One quick question !

I know it is silly but is the password created by the user in this case ? Please explain.

Thank You,

Friend

 

[sem]

Just my 2 cents: to call this code user must log in


Regards, Dima

http://seminihin.narod.ru

 

[Thargy]

Friend,

the routine merely sets the account's password to what it's given. How you decide upon the password is up to you.

For example, you could make it so that only an administrator can run the routine, and they would manually choose the password.

Alternatively, you could do what I do, and generate a pseudo-random string, and set the password to that. The main thing is that by expiring the account, and then giving the forgetful user access, you ensure that once they've logged in, only the proper user knows the password.

It is possible to let the user choose his or her new password, but this means giving them access to the database, in order to do so. Since they've forgotten their password, how will you authenticate the user? It could be a hoaxer pretending to be somebody else, feigning forgetfulness. Because of this 'hole' in security I recommend that you do NOT allow users to choose their password.

Obviously this answer disregards the fact that your E-Mail may not be secure - but that's a different story .

Regards

Tharg

Grinding away at things Oracular