[TYPO3-dev] Password expiry and blacklists

Christian Lerrahn (Cerebrum) christian.lerrahn at cerebrum.com.au
Mon Feb 20 05:27:10 CET 2012 

Hi Kay,
On Wed, 15 Feb 2012 10:03:48 +0100
Kay Strobach <typo3 at kay-strobach.de> wrote:
> thanks for taking care - i would like to test your result.
> 
> How this could be achieved:
> 
> 1. React on userpassword changes with a hook:
> 
> 	$TYPO3_CONF_VARS['SC_OPTIONS']['t3lib/class.t3lib_tcemain.php']['processDatamapClass'][]
> 
> In this hook you can change the processed values (contact me for
> details, made something similar for fe_users).
> Checking the new password is a bit harder, but there must be a hook
> for serverside validation as well.

I actually use this hook in my current extension. However, I did not
find a way of declaring the input invalid. I worked around this
problem, by just expiring an invalid (i.e. blacklisted) password entered
in the BE immediately, to make it impossible for a user to change back
the password after having been forced to change it on login.

> 2. Check in the backend.php, if the password has been expired and
> show form:
> 
> 2.1 There are several suitable hooks, which can serve what you need:
> 
> 	e.g.: $GLOBALS['TYPO3_CONF_VARS']['SC_OPTIONS']
> 		['typo3/backend.php']['constructPostProcess']
> 
> 	The hook must than do a http redirect to your password change
> 	form and stop the execution of the script.

Not sure about this. I did go on a hunt for adequate hooks before I
patched the core. However, there was no hook that allowed me to easily
redirect to a password change form AFTER successful authentication and
along with forced log out before redirect. The tricky bit here is to
make it absolutely impossible to circumvent the password expiry. This
was also the problem of a password expiry extension which existed some
time ago. It had the user logged in while the password change occurred
which meant that the change could be circumvented by just changing the
URL in the browser to the backend URL manually.

> 2.2  Another approach would be to add an additional BE item and do
> the password change with ExtJS and AJAX (like the relogin window in
> 	TYPO3 4.5)
> 
> I would like to see 2.2, as this just stops the interaction for some
> seconds, but lets the be load the stores needed for further work.

I'd definitely like this as well but would need to do some research for
this because I have never worked with ExtJS at this point. Also, I'm
unsure if this could easily be used to overlay the log in screen while
logged out (even though I suspect it is possible).

Cheers,
Christian

More information about the TYPO3-dev mailing list