[TYPO3-dev] Implement password expiry in BE

Christian Lerrahn (Cerebrum) christian.lerrahn at cerebrum.com.au
Wed Feb 23 07:22:11 CET 2011 

Hi,
I'm trying to implement a password expiry with blacklists for the BE.
In principle that already exists as the extension cl_beuser_password
but that extension (even when modified to work with current TYPO3
versions) has one major weakness. As the password update is performed
AFTER successful login, it can easily be circumvented by just changing
the URL in the browser.

I have had several ideas how to go about this but ran into different
kinds of problems with every single one of them.

My first approach was to use a service. I could run this service before
any other authentication service, pass through to the other services
if the password is not expired or redirect to some password change form
if it is expired. There is a major flaw in this design. Firstly, I
reveal that the password is expired without knowing first if the
entered password is valid. If I want to avoid that I have to duplicate
the whole authentication routine into my service and then not pass on
to other services. That seems rather inelegant.

The other option would be to run the service late in the process.
However, I cannot run it after successful login because it will never
be used at that point. The service chain stops as soon as a service
reports a successful login.

The second approach I took was using hooks or XCLASSes, similar to
cl_beuser_password. The XCLASS approach has two major flaws. There is,
of course, the limitation of one XCLASS per class. Furthermore, I can't
XCLASS e.g. dummy.php if I don't log in the user first because the
start-up code in that file already exits if no user is logged it.
However, once I keep the user logged in, he can just go to the BE
manually and never change his password.

The problem with hooks is that there are no hooks that really are in
the right place. The one that rsaauth uses only works until it gets
content from something that hooks in. The hooks in authentication class
get called too often for the purpose here.

Any suggestions how to go about that? Maybe another approach I haven't
thought of?

Cheers,
Christian

More information about the TYPO3-dev mailing list