Allow users to change password

Callan

I have a simple asp login page using an access database I would like to make a page for users to change their passwords. Is this difficult to do? I had a look on Google for something ready to use but I couldn’t find anything.
Here is the code I am using for my login page

<%
'here is the connection string
Set conn = server.createobject("adodb.connection")
'this connection uses JET 4 it is the prefered method of connecting to an access database
DSNtemp = "Provider=Microsoft.Jet.OLEDB.4.0;Data Source=" & Server.Mappath("/slog/login.mdb")
'if you cant use JET then comment out the line above and uncomment the line below
'DSNtemp="DRIVER={Microsoft Access Driver (*.mdb)};DBQ=" & Server.Mappath("/slog/login.mdb")
conn.Open DSNtemp

'here we are getting the info from the login form
If InStr(Request.Form("uid"),"'") Then
uid = Replace(Request.Form("uid"),"'"," ")
Else
uid = Request.Form("uid")
End If
If InStr(Request.Form("pwd"),"'") Then
pwd = Replace(Request.Form("pwd"),"'"," ")
Else
pwd = Request.Form("pwd")
End If

'now we will querry the database for a match
SQL = "Select * From users Where uid = '" & uid & "' And pwd = '" & pwd & "'"
Set RS = Conn.Execute(SQL)

'if the user is found we will set the session okeydokey to TRUE allowing the user to gain entrance
If Not RS.EOF Then
  Session("okeydokey") = True
	
	'always always always destroy recordsets and close connections!
	Set RS = Nothing
	Conn.Close

'since the user was found, we sent them toodling on to the next page	
'########################################################################################################
'##### IN THE LINE BELOW CHANGE INDEX2.ASP TO THE PAGE YOU WANT THE USERS TO BE DIRECTED TO
  Response.Redirect "index2.asp"
Else
   
   'ooops if we got this far they dont know their login info or arent in the database
	'AGAIN always always always destroy recordsets and close connections!
	Set RS = Nothing
	Conn.Close
  'so we send em back to try again	
  Response.Redirect "incorrect_log_in.htm"
'#####  CHANGE INDEX.ASP IN THE LINE ABOVE TO THE NAME OF THE PAGE WHERE
'#####  WHERE YOU PLACED THE LOGIN TABLE. LEAVE IT IN QUOTES!!!!!!!!!!!!
'##################################################################################
  
End If
%>

seamus

It should be simple enough.

Most change password screen ask for the user's old password, then the new one twice.

So if you use an amalgamation of the login page and the script used to set the password originally, it should be easy enough.

Basically you want a page which takes the three fields (old password, new password 1, new password verify) from a form, then
a) Checks that the new password fields are the same, exiting and giving an error if not
b) Checks that the old password is correct (basically logging in without setting any cookies), if it doesn't exit and give an error
c) Puts whatever hashing or encryption on the new password, and entering that into the database.

At that point, you can do one of two things - Update the Session/Cookie so that it contains the new password,...or....log the person out and ask them to log back in with their new password (i.e. create a new session).

I don't know ASP, so I can't give you any code.

clearz

As seamus said I would create a page with an old password field and an new password field and a confirm new password field. You know the type. Then insert it into the database using something like

if oldPassword = passwordStoredInSessionCookie

UPDATE userDetails SET password = newPass WHERE username = userGotFromSessionObject AND password = oldPassword

Seth Brundle

clearz wrote:

As seamus said I would create a page with an old password field and an new password field and a confirm new password field. You know the type. Then insert it into the database using something like

if oldPassword = passwordStoredInSessionCookie

UPDATE userDetails SET password = newPass WHERE username = userGotFromSessionObject AND password = oldPassword

I would also update the value of passwordStoredInSessionCookie when at it!

Callan

Can someone please help me with this code I keep getting an error

Microsoft JET Database Engine error '80004005'
Operation must use an updateable query.
/qsc/management_db/change.asp, line 47

<%
'here is the connection string
Set conn = server.createobject("adodb.connection")
'this connection uses JET 4 it is the prefered method of connecting to an access database
DSNtemp = "Provider=Microsoft.Jet.OLEDB.4.0;Data Source=" & Server.Mappath("users.mdb")
conn.Open DSNtemp
Set RS = Server.CreateObject("ADODB.Recordset")

'here we are getting the info from the login form
If InStr(Request.Form("uid"),"'") Then
uid = Replace(Request.Form("uid"),"'"," ")
Else
uid = Request.Form("uid")
End If

If InStr(Request.Form("pwd"),"'") Then
	pwd = Replace(Request.Form("pwd"),"'"," ")
Else
	pwd = Request.Form("pwd")
End If

If InStr(Request.Form("pwd0"),"'") Then
	pwd0 = Replace(Request.Form("pwd0"),"'"," ")
Else
	pwd0 = Request.Form("pwd0")
End If

If InStr(Request.Form("pwd1"),"'") Then
	pwd1 = Replace(Request.Form("pwd1"),"'"," ")
Else
	pwd1 = Request.Form("pwd1")
End If

if pwd0 <> pwd1 then
	Set RS = Nothing
	Conn.Close
	response.redirect("http://www.google.ie")
else	
	SQL = "Select * From People Where IDSID = '" & uid & "' And Pass = '" & pwd & "'"
	Set RS = Conn.Execute(SQL)
	IF RS.EOF THEN
			response.write("wrong pass/username")
			Set RS = Nothing
			Conn.Close
	Else
		SQL = "UPDATE People SET Pass = '" & pwd0 & "' WHERE IDSID = '" & uid & "'"
		Set RS = Conn.Execute(SQL)		
		Set RS = Nothing
		Conn.Close
		Response.write("hopefully changed")
	end if	
End if
%>

seamus

http://www.aspemporium.com/aspEmporium/help/helpsys.asp?PRB022

Google is your friend.

Check the IISUSER's (or whatever login the ISS process is running under) permissions to write to the directory where your DB is located.