How can I let a user change their password using web interface?

[Zac Tolley]

I've taken over a filemaker pro app that is deployed on a FM9 AS and accessed via the web interface layer.

Most stuff if fine , but users want to be able to change their passwords and from what I see the change password function is either not supported in the web interface or the values must be supplied via some calculation thingy....

Has anyone sorted the problem of creating something to let users change their password?

[CobaltSky]

Hello Zac,

Welcome to the forums. I see you've started with a bang - it's a pretty big question you've asked, and hard to answer fully or adequately in a forum post. Nevertheless I'll try to point you in some useful directions.

I guess it goes without saying (or does it...) that user password changes via the web will be less secure than if they were made using the FileMaker client. How much less secure depends on a number of factors, including whether you're using IWP or CWP (eg PHP) and various aspects of how your web interface, web hosting, authentication and password change procedure are handled.

However, that said, yes it's possible to create a mechanism for users to change their passwords via the web. However to do so you will require a special layout, a few utility fields (global text fields) and a script.

The password change procedure requires that users type their account name and old and new passwords into the global fields (you might want to provide two "new password" fields and require that they enter the new password twice). Then, as button the user clicks to proceed should run a script that does the following:

1. Checks that the account name the user entered is correct (eg matches the account the user us currently logged in with).

2. Checks that the new password is acceptable (eg that it is long enough, that if they were required to enter it twice, the entries match etc.)

3. Changes the password, using the Change Password[ ] script command, which is web compatible (when configured to display no dialog). You can enter references to the global fields the user has entered the account name and new password into as the arguments for the Change Password[ ] command (I assume that is what you meant by "calculation thingy..."?!)

4. Load a page that tells the user whether the password change was successful (and if not, why not), with buttons that let them proceed (if successful) or cancel or try again (if unsuccessful).

Assuming you are using IWP and you create a Globals table containing global text fields called gAccount, gOldP, gNewP1, gNewP2 and gResultText, plus layouts (PasswordChange, PasswordChangeFailed and PasswordChangeConfirmed) with appropriate fields and buttons on them, the following is an example of the kind of script you might consider using to manage the process:

#Web compatible password change procedure#

If [Get(LayoutName) <> "PasswordChange"]

[color:#ffffff]...Go to Layout ["PasswordChange" (Globals)]

Else If [Globals::gAccount = Get(AccountName) and Exact(Globals::gNewP1; Globals::gNewP2 and Length(Globals::gNewP1) > 4]

[color:#ffffff]...Change Password [Old Password: Globals::gOldP; New Password: Globals::gNewP1; No Dialog]

[color:#ffffff]...Set Variable [$error1; Value: Get(LastError)]

[color:#ffffff]...Set Field [Globals::gOldP; ""]

[color:#ffffff]...Set Field [Globals:: gNewP1; ""]

[color:#ffffff]...Set Field [Globals:: gNewP2; ""]

[color:#ffffff]...If [$err <> 0]

[color:#ffffff]......Set Field [Globals:: gResultText; If($err = 213; "Old password was not accepted."; "Unknown Error")]

[color:#ffffff]......Go to Layout ["PasswordChangeFailed" (Globals)]

[color:#ffffff]...Else

[color:#ffffff]......Go to Layout ["PasswordChangeConfirmed" (Globals)]

[color:#ffffff]...End If

Else If [Globals::gAccount = Get(AccountName)]

[color:#ffffff]...Set Field [Globals:: gResultText; "Account name not accepted."]

[color:#ffffff]...Go to Layout ["PasswordChangeFailed" (Globals)]

Else If [Exact(Globals::gNewP1; Globals::gNewP2]

[color:#ffffff]...Set Field [Globals:: gResultText; "The new passwords entered did not match."]

[color:#ffffff]...Go to Layout ["PasswordChangeFailed" (Globals)]

Else

[color:#ffffff]...Set Field [Globals:: gResultText; "Passwords should be at least five characters."]

[color:#ffffff]...Go to Layout ["PasswordChangeFailed" (Globals)]

End If

##

The above script has only rudimentary error checking and is one of a number of ways this scripting task might be approached. I've provided this one as an example because it is relatively easy to read and understand, but it could be extended or adapted in various ways.

If you're using CWP rather than IWP, you will need to do things a little differently (and you won't need the utility layouts) - plus some of the logic may reside in your code (eg PHP) rather than in the native FM script.

If you are using IWP, one of several implementation issues is that there is no bullet field, so the passwords will be entered as clear (visible) text in the user's browser. As I remarked, there are various security issues to consider when deciding whether this is appropriate (and if so, how you will implement it).

HTH.