Geodesic Solutions Community Wiki

User Tools

Site Tools

You are here: Auction and Classified Software Support Home » Configuration And Startup Checklist » Feature Configurations » 27) User Account, Sessions and Login Security » Lost Password Feature

Sidebar

startup_tutorial_and_checklist:feature_configuration:user_account_login:lost_password

Table of Contents

Lost Password Feature

You can allow the client to change their own password from the client side using the lost password feature. You control whether to allow that feature or not using the following admin tool setting: 

ADMIN TOOLS & SETTINGS > SECURITY SETTINGS > GENERAL SECURITY SETTINGS > Forgot Password Tool

Shown in the following admin tool:

Within that screenshot you'll also see links to edit the text in the lost password feature page and lost password email.

Affects of the Password Storage Method

Note there is different behavior within the lost password feature based on the configuration you have for this feature: 

ADMIN TOOLS & SETTINGS > SECURITY SETTINGS > GENERAL SECURITY SETTINGS > Client Password Storage Method

If the above setting is:

  • Plain Text - the email sent to the client will contain their actual password as they would type it within the password field. They could use the lost password routine any number of times and the email will send the same results.
  • Geodesic Hashed - the lost password can't send the password set by the client as it's encrypted. So every time the lost password routine is "hit" by the client the system creates a random password and sets their password to that within their account details. While that's straightforward enough the client in their impatience may "hit" the reset password routine a few times causing the software to reset that password with each attempt. So for example if the emails to the client are a bit slow and the client is a bit impatient they may not think the "first lost password" use worked and so hit the lost password feature again. Well in the meantime they get the email for the first lost password attempt. That email contains a password but it's no longer a "good password" because in their haste the client hit the lost password routine again resetting the password with the new attempt. So the client will insert the "now bad" password but find they can't and increase their frustration. So if you follow this password save method counsel your clients against haste within the text of the lost password routine to save their own frustration.

To further complicate this for the admins the above is based on the current saved state of the password and not essentially the above configuration. If you the admin in an attempt to improve security within you site change the above admin tool AFTER opening your site you will have a few clients with passwords saved in plain text (default setting at installation) and others with encrypted passwords. If a client comes to you for support you may need to temper your response based on knowledge of your admin configuration change.

startup_tutorial_and_checklist/feature_configuration/user_account_login/lost_password.txt · Last modified: 2014/09/25 16:55 (external edit)

Page Tools

Except where otherwise noted, content on this wiki is licensed under the following license: CC Attribution-Noncommercial-Share Alike 4.0 International
CC Attribution-Noncommercial-Share Alike 4.0 International Donate Powered by PHP Valid HTML5 Valid CSS Driven by DokuWiki