Password expiration policy

Discussions about new features or changes in existing features

Moderators: gerski, enjay, williamconley, Op3r, Staydog, gardo, mflorell, MJCoate, mcargile, Kumba, Michael_N

Password expiration policy

Postby ccabrera » Fri Mar 06, 2015 1:19 pm

A client of mine requested a new password policy to be used in their Vicidial servers. He requested that passwords must have a 30 day expiration date and must comply with some typical requirements (8 char lenght, only a-zA-Z0-9, etc)

I modified the source files to be able to make this. The modifications were as follows:

Added a new field in System Settings table which sets the password_expiration_days to a number. If 0, then its disabled. If > 0, then it must run every X days.
Added a new field in Users table, which holds the last datetime of the modified password.

Modified vicidial/functions.php to have a function to test whether or not the password_modified_date is less than NOW() + password_expiration_days.
Modified vicidial/admin.php to run the previous test.
- If true, redirect to a new file called password_change.php
- If false, continue as normal
Modified agc/vicidial.php to run the same test as admin.php as soon as the password has been tested for expiration.
- If true, redirect to password_change.php
- If false, continue as normal.

The password_change.php contains a simple script which forces you to update the password and comply with the policies. After password has been changed, you are redirected back to the welcome page so user can try to login again either as admin or agent.

Obviously it needs to be perfectioned, but I think this is a good first step towards new clients who want to force their agents/supervisors to update their passwords every one in a while.

Is this a feature which could be useful? If you find it so, I can glady provide the patches (based on current trunk version) and any extra files I created in the process.
Christian Cabrera
Enlaza Comunicaciones - Vicidial Partner
Mexico City
ccabrera
 
Posts: 153
Joined: Fri Jan 14, 2011 7:53 pm
Location: Mexico City

Re: Password expiration policy

Postby mflorell » Fri Mar 06, 2015 2:33 pm

This sounds great! Could you post it to the Issue Tracker please?
mflorell
Site Admin
 
Posts: 18384
Joined: Wed Jun 07, 2006 2:45 pm
Location: Florida

Re: Password expiration policy

Postby mav2287 » Mon Mar 09, 2015 3:58 pm

That sounds great! I have had this on my list of items to write for about a year now. The changing of an agent password has been talked about, but no one written it and I just have not got around to it. If I get time this weekend I may dig in and have a look! I was thinking of doing it almost the same way you did. The only difference in my approach was that I was going to implement the change_password directly into the vicidial.php script so that it would look like the phone login and force a password change.

You may also want to have the change_passoword function run on the timeclock so that you get all 3 login points covered.

This also would lend itself to doing password resets that would then force the user to change their password. That was another thing on my list.
ViciBox5.x86_64-5.0.3.preload from .iso upgraded to 13.1 | VERSION: 2.10-444c BUILD: 150129-0828 | 1.8.32.2-vici | Dual Server | No Digium/Sangoma Hardware | No Extra Software After Installation | Intel twin quad core 3Ghz Xeon chips | 32gb of RAM
mav2287
 
Posts: 256
Joined: Thu Oct 03, 2013 6:47 pm

Re: Password expiration policy

Postby mav2287 » Mon Apr 06, 2015 4:49 pm

You make any progress on this?
ViciBox5.x86_64-5.0.3.preload from .iso upgraded to 13.1 | VERSION: 2.10-444c BUILD: 150129-0828 | 1.8.32.2-vici | Dual Server | No Digium/Sangoma Hardware | No Extra Software After Installation | Intel twin quad core 3Ghz Xeon chips | 32gb of RAM
mav2287
 
Posts: 256
Joined: Thu Oct 03, 2013 6:47 pm

Re: Password expiration policy

Postby ccabrera » Mon Apr 06, 2015 6:03 pm

Indeed. Actually, development is complete, but since I´m also doing changes in CSS for Vicidial, there are quite some lines that changed, so I´m first cleaning up the diff file so that Matt doesn´t think I´m hacking all of his code at once.

In short, this feature implies the following:

- Adding 1 field to system_settings table
- Adding 1 field to vicidial_users table
- Modify vicidial/admin.php and agc/vicidial.php to check for passwords after login
- Create a password_change.php where users are redirected either from AGC or from Vicidial admin pages in case their password is expired
- Add a function to functions.php to handle password expiry check and redirection
- Add QXZ phrases so this feature is properly translated

If time allows I´ll post this to Mantis this week for its inclusion.

Regards.
Christian Cabrera
Enlaza Comunicaciones - Vicidial Partner
Mexico City
ccabrera
 
Posts: 153
Joined: Fri Jan 14, 2011 7:53 pm
Location: Mexico City

Re: Password expiration policy

Postby mflorell » Mon Apr 06, 2015 6:58 pm

For the admin side, it would probably be easier to add it to the existing Force Change Password page($ADD==999997) instead of redirecting to a new page.
mflorell
Site Admin
 
Posts: 18384
Joined: Wed Jun 07, 2006 2:45 pm
Location: Florida

Re: Password expiration policy

Postby scicali » Wed Jun 17, 2015 9:50 am

Any news about this new feature?
scicali
 
Posts: 22
Joined: Thu Nov 28, 2013 6:21 am


Return to Features

Who is online

Users browsing this forum: No registered users and 67 guests