Developer Forum »
Setting users passwords
36 posts

Hi devs!

I try to update existing user's password on a "retrieve password" form. I send user an email with a password reset link, which contains a hash, which then I use to fetch the correct user from DB. Then I call user.Password.Set(newPwd) and then user.UpdateChanges(). I get an exception - I am not authenticated as admin (I am actually anonymous) and I cannot update the password. What is the correct procedure in that case? Should I temporarily authenticate with admin credentials (that would be strange)? I checked Webnodes sample apps (ExploreNorway and the Shop) where setting passwords of new users seems straightforward.

Cheers,

120 posts

Hi Andrzej,

To set properties like the password property that is not legal for anonymous users, you must use another session with sufficient priviledges. One such session is the built in SystemSession, which has admin rights. You access the session with WAFRuntime.SystemSession

A session is associated with a content when you retrieve it, so to be able to perform the function you are looking for you must make sure you use the SystemSession when you retrieve the user content. Example:

var user = WAFRuntime.SystemSession.GetContent<SystemUser>(NodeId);

user.Password.Set(newPassword);

user.UpdateChanges();

PS: Remember that there are built in password requirements in Webnodes that are turned on by default. You can change this in the Ontology module if you need to. The default requirements are: a mix of numbers and letter, lower and upper case letters, a minimum length of 5 chars, and that the password is not found in a built in list of the most 500 000 commonly used passwords.

To test in advance if a new password meets the requirements you can call this method:

user.Password.Test(newPassword)

BTW: By default passwords are hashed, ie, impossible to retrieve once set. This is the recommended setting, however there is also an encrypted mode built in, that makes it possible to retrieve the password. The password storing mode can be specified induvidually on each password by: user.Password.Set(newPassword, mode). (If the mode is not specified, it takes the default, defined in the Ontology module)

For information about security in general see this post: http://developer.webnodes.com/security-setup

36 posts

Thanks Ole, that helps a lot!

36 posts

Hi Ole!

Just one more thing to clarify. You wrote

"To test in advance if a new password meets the requirements you can call this method:

user.Password.Test(newPassword)"

however this seems to validate that newPassword is valid for that given user (so anything else than current password returns false). Is there any method that I could call like this WAFRuntime.TestPassword just to see if the password meets the security policy (length, complexity etc.) ?

120 posts

Hi, you are right, sorry!

I meant:

 user.DoesPasswordMeetRequirements(string password, out string failedRequirement)

36 posts

Hi Ole!

Unfortunately I am not able to find such method. I have WAF BUild = 1 382. Could that be the problem? I also cannot see the password restriction settings in the ontology anywhere.

120 posts

Yes, this is the reason.

36 posts

Hi again!

I have one more step in my scenario. After I set the password I would like to auto-authenticate the user. I tried with WAFContext.LogInView(user.UserName), but it seems like it kind of "keeps" the user logged in just for that request. I should set authentication cookie by myself in such case? Any other solution to this scenario?

120 posts

Hi, see this post: http://developer.webnodes.com/webnodes-authentication-code-behind

1