Force a User to Change Their Password (ChangePasswordFilter)

You are viewing revision #7 of this wiki article.
This version may not be up to date with the latest version.
You may want to view the differences to the latest version.
next (#8) »

Sometimes you need to force a user to change their password after x number of days. This article describes how to implement this using a filter, ChangePasswordFilter.

Why can't I use afterLogin()? Sure, you could redirect a user to a change password form after they login, but there's no mechanism to keep the user on the change password form. I.e. they could easily browse to another page.

The Password Filter Class. This class calls ChangePasswordRule->changePasswordRequired() to check the user's password freshness.

<?php

/**
 * ChangePasswordFilter class file.
 *
 * @author Matt Skelton
 * @date 27-Jun-2011
 * 
 * Determines if a user needs to change their password. 
 * A user must change their password if:
 *      User->daysSincePasswordChange() > ChangePasswordRule->passwordExpiry
 */
class ChangePasswordFilter extends CFilter
{
    private $rule;

    /**
     * Runs a check to see if the user is required to change the password. This 
     * method is called before controller actions are run.
     * @param CFilterChain $filterChain the filter chain that the filter is on.
     * @return boolean whether the filtering process should continue and the action
     * should be executed.
     */
    public function preFilter($filterChain)
    {
        $allowed = true;

        if ($this->rule->changePasswordRequired(Yii::app()->user->getModel()))
        {
            $allowed = false;
            
            Yii::app()->user->setFlash('notice', 'You must change your password before you can proceed.');
            Yii::app()->user->redirectToPasswordForm();
        }

        return $allowed;
    }

    /**
     * Builds the rule for the filter.
     * @param array $rules the list of rules as set in the controller
     */
    public function setRules($rule)
    {
        $passwordRule = new ChangePasswordRule();
        $passwordRule->passwordExpiry = $rule['days'];

        $this->rule = $passwordRule;
    }
}
?>

The Password Rule Class. This class returns a Boolean indicating if the user needs to change their password.

<?php

/**
 * ChangePasswordRule class file.
 *
 * @author Matt Skelton
 * @date 27-Jun-2011
 * 
 * This class performs the actual validation and returns a boolean indicating if
 * the user is required to change their password.
 */
class ChangePasswordRule extends CComponent
{
    public $passwordExpiry;

    /**
     * Checks if a user is required to change their password.
     * @param type $user the user whose password needs to be validated
     * @return boolean if the user must change their password
     */
    public function changePasswordRequired($user)
    {
        $passwordChangeRequired = false;

        if ($user->daysSincePasswordChange() > $this->passwordExpiry)
            $passwordChangeRequired = true;

        return $passwordChangeRequired;
    }

}
?>

Controller Class (Parent Controller - client controllers should extend this one). These two methods instantiate the filter and link it to all controllers that inherit from this one.

/**
     * Creates a rule to validate user's password freshness.
     * @return array the array of rules to validate against
     */
    public function changePasswordRules()
    {
        return array(
            'days' => 30,
        );
    }

    /**
     * Runs the Password filter
     * @param type $filterChain 
     */
    public function filterChangePassword($filterChain)
    {
        $filter = new ChangePasswordFilter();
        $filter->setRules($this->changePasswordRules());
        $filter->filter($filterChain);
    }

Client Controller Class. This is an example of my SiteController. The changePasswordFilter applies to all actions except for the ones listed after "-".

/**
     * @return array action filters
     */
    public function filters()
    {
        return array(
            'accessControl', // perform access control for CRUD operations
            'changePassword - logout, login, autoLogin, password, securityCode, passwordVerify, verify, autoGeneratePassword',
            'https',
        );
    }

These are two convenience methods I use in my User model. They're used to calculate the days since the user has changed his/her password.

/**
     * Returns the number of days since the user changed their password.
     * @return integer the number of elapsed days
     */
    public function daysSincePasswordChange()
    {
        return $this->calculateInterval($this->password_update_time);
    }

    /**
     * Returns the number of days between two time intervals. If $end is null, 'now' will be used.
     * @param string $start the start time. Should be an English textual description. Ex: 2011-06-28 08:06:53
     * @param string $end the end time. Should be an English textual description. Ex: 2011-06-28 08:06:53
     * @return integer the number of days
     */
    public function calculateInterval($start, $end = null)
    {
        $startTime = strtotime($start);
        $endTime = ($end == null) ? time() : $end;

        $elapsedTime = abs($endTime - $startTime);

        return round($elapsedTime / 86400);
    }

The redirectToPasswordForm method. I include this in WebUser. It is copied from CWebUser->loginRequired() but redirects to the password form, instead of the login form.

public function redirectToPasswordForm()
    {
        if (!Yii::app()->request->getIsAjaxRequest())
            $this->setReturnUrl(Yii::app()->request->getUrl());

        if (($url = $this->changePasswordUrl) !== null)
        {
            if (is_array($url))
            {
                $route = isset($url[0]) ? $url[0] : $app->defaultController;
                $url = Yii::app()->createUrl($route, array_splice($url, 1));
            }
            Yii::app()->request->redirect($url);
        }
        else
            throw new CHttpException(403, Yii::t('yii', 'Change Password Required'));
    }

The rule setup in Controller.php, 'days' => 30,, is obviously very simple. It can be easily extended. For example, users of different roles might have different freshness requirements - Admin users - 10 days, regular users - 30 days, super admins - never etc. You'll just need to modify ChangePasswordFilter->setRules() and ChangePasswordRule->changePasswordRequired() to loop over the list of rules and perform your needed logic.

Hope this helps - feedback welcome.

Matt

14 0

10 followers

Viewed: 29 554 times

Version: Unknown (update)

Category: Tutorials

Tags: filters, password, security, user management

Written by: waterloomatt

Last updated by: waterloomatt

Created on: Sep 16, 2011

Last updated: 12 years ago

Update Article

Revisions

View all history

12 years ago by waterloomatt
Added WebUser class, added Time helper c...
12 years ago by waterloomatt
Changed $passwordRule->passwordExpiry =...

User Contributed Notes 3

#5692

0 0

Loading whole user model to CWebUser?

I'm just wondering. You're loading whole model for currently logged-in user into WebUser. I understand that this includes user password. Is that safe? I've heard that storing sensitive data in Yii::app()->user is not considered to be the best idea.

Trejder at Nov 2, 2011, 11:17:13 AM

#16777

file structure

can somebody tell me where to put the files?

prashant.tyagi at Mar 27, 2014, 6:52:25 AM

#21015

Can anyone tell me why is it having 302 redirects to the change password page?
After the redirectToPasswordForm() inside WebUser is hit.

With this piece of code, getting 302 too many redirects to this page. Therefore page does not work.
Yii::app()->request->redirect($url);

Abhishek Chaudhary at Feb 23, 2022, 3:42:18 AM

Please only use comments to help explain the above article.
If you have any questions, please ask in the forum instead.

Signup or Login in order to comment.

Categories

Popular Tags

Recent Comments

Force a User to Change Their Password (ChangePasswordFilter)

Revisions

Related Articles