Expire passwords
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
KARL4 |
Fix Released
|
Medium
|
Carlos de la Guardia |
Bug Description
"require password change every 180 days"
We'll require a new piece of information on the profile/user, with a date/time that is set whenever a password is correctly set. Then, during the Appropriate Time, if the current time is 180 days over, send them to the change password screen with a message explaining that their password is expired and requires a change.
"Appropriate Time" will have some rough edges. Let's describe some situations:
1) A not-logged-in user tries to login.
2) A logged-in user has the 2 week cookie which expires.
3) A logged-in user has the 2 week cookie for another couple of days.
4) (I forgot this one) Correctly handle the case of "Remember me" not being checked.
If someone has the cookie, I believe its going to be a bit of work for us to override the default cookie checking and do our own thing. I propose that we don't try to handle (3)...the user might go 185 days or even 193 days before being forced to change their password.
This means we only need to do "Appropriate Time" on the login screen.
However, the next step is also complicated. The simplest is to wipe their password and force a password reset. But that's not very user-friendly. We probably want to let them use their current password (to prove they are who they say they are) but immediately pick a new password.
This is a little bit dicey...we can't let them do anything else on the site with their old password, except change their password. That means we don't really log them in. We need to make sure that, even though their previous password is still there, it doesn't allow "login" to proceed.
description: | updated |
Changed in karl4: | |
milestone: | 022 → 023 |
Changed in karl4: | |
status: | Fix Committed → Fix Released |
Some update on this:
- I later checked, and our cookie is currently valid for 10 years, I believe
- Today OSF decided to dial that down to 10 hours and remove the "Remember Me" checkbox
(but have remember me happen implicitly, though 10 hours)
Nat, I think the topic of the last two paragraphs is still in play. What happens when someone uses KARL one day, and the next day, passes over the 180 day limit? They'll be logged out and presumably, can't log in to change their password.