How To Force User on 1st Login to Change Admin Generated Password

user04

So essentially I am have built a login page for users of a particular site. The users are inputted by the admin into the database and the admin sets their initial password.

What I am trying to do is when the user logs in for the first time, force them to change the password that the admin gave them.

So far the theory in my head is that after the admin adds a new user to the database to have a variable ("password_check") be set to "unchanged" (or "0"). Upon the user logging in for the first time, have the login script check to see if that variable is equal to zero.

If it is not, then proceed to "Account Page".
If it is, then take user to "Create New Password" page.

At the "Create New Password" page, when the user enters a new password, the variable is then set to "changed" (or "1").

However, I haven't the slightest idea how to do this. I did search for some help online and in these forums and was unable to find a solution.

Thank you very much for any and all insight.

Cheers.

halojoy

At first, no matter what password user will have to login.
Then you can store in $SESSION['variables'] info on this user.
If the field "password_check" is '0' then you make $SESSION['must_change'] = true
then you send this user to 'update_password.php'.

When the user has updated pass, you unset( $_SESSION['must_change']);
and update "password_check" to '1' in DB

user04

Halojoy,

Thanks for the response, however, being a newbie, I'm still new to the syntax of php and am not sure where or how to insert it. My login in script is the infamous "JPMaster77 Login Script" and I figured out at this juncture how to edit all the necessary data to fit my needs.

Here is what I have in my session.php file for the login function.

function login($subuser, $subpass, $subremember){
      global $database, $form;  //The database and form object

  /* Username error checking */
  $field = "user";  //Use field name for username
  if(!$subuser || strlen($subuser = trim($subuser)) == 0){
     $form->setError($field, "* Username not entered");
  }
  else{
     /* Check if username is not alphanumeric */
     if(!eregi("^([0-9a-z])*$", $subuser)){
        $form->setError($field, "* Username not alphanumeric");
     }
  }

  /* Password error checking */
  $field = "pass";  //Use field name for password
  if(!$subpass){
     $form->setError($field, "* Password not entered");
  }

  /* Return if form errors exist */
  if($form->num_errors > 0){
     return false;
  }

  /* Checks that username is in database and password is correct */
  $subuser = stripslashes($subuser);
  $result = $database->confirmUserPass($subuser, md5($subpass));

  /* Check error codes */
  if($result == 1){
     $field = "user";
     $form->setError($field, "* Username not found");
  }
  else if($result == 2){
     $field = "pass";
     $form->setError($field, "* Invalid password");
  }

  /* Return if form errors exist */
  if($form->num_errors > 0){
     return false;
  }

  /* Username and password correct, register session variables */
  $this->userinfo  = $database->getUserInfo($subuser);
  $this->username  = $_SESSION['username'] = $this->userinfo['username'];
  $this->userid    = $_SESSION['userid']   = $this->generateRandID();
  $this->userlevel = $this->userinfo['userlevel'];

  /* Insert userid into database and update active users table */
  $database->updateUserField($this->username, "userid", $this->userid);
  $database->addActiveUser($this->username, $this->time);
  $database->removeActiveGuest($_SERVER['REMOTE_ADDR']);

  /**
   * This is the cool part: the user has requested that we remember that
   * he's logged in, so we set two cookies. One to hold his username,
   * and one to hold his random value userid. It expires by the time
   * specified in constants.php. Now, next time he comes to our site, we will
   * log him in automatically, but only if he didn't log out before he left.
   */
  if($subremember){
     setcookie("cookname", $this->username, time()+COOKIE_EXPIRE, COOKIE_PATH);
     setcookie("cookid",   $this->userid,   time()+COOKIE_EXPIRE, COOKIE_PATH);
  }

  /* Login completed successfully */
  return true;
   }

So after the user has successfully logged in:

/* Username and password correct, register session variables */

I believe I want to set in addition to the variables that are there, the following variable (which I've already added to the db.sql file and has been created in the D😎 "change_pass":

$this->change_pass  = $_SESSION['change_pass'] = $this->userinfo['change_pass'];

Now if this is correct, I believe here I would need to add a conditional statement to check the value of "change_pass".

If it is "1", then redirect to change_password.php, if it is "0" then continue to parse through. BTW, the admin enters each user's info manually so by default all "change_pass" values will be set to "1"

This is where I don't know the proper syntax. Any help is GREATLY appreciated.

Thanks.