Change password form in login system

[Luke.F.14]

Hi,



I have created a login system as part of my A-Level database. Part of the script i have used makes a user change their password if it is the default "password", i.e. if they are new or their password has been reset by the admin user using an update query. The script puts up a message box saying "Please change password" which then opens a change password form. The problem lies here. If i leave it as so, there is nothing stopping the user from navigating through and changing other user's passwords, considering the change password form is based upon the table of users/passwords. Basically, i need a way of filling the change password form with the data of the username that has been inputted in the login section, and then disabling navigation so that they can only change their own password - for example, a "user1" puts their username, user1, and password, password, into the login form and presses enter. It then prompts user1 that their password needs changing, then the change password form pops up. This change password form is just a form based upon the table of users - user1 would need to navigate through and find his own details or he could in effect change any other users details - this is what i want to stop, so that user1's details automatically populate the change password form and navigation to other records is disabled.

Many thanks
Luke

[Micron]

My inclination is to ask 'why bother with passwords'?
If you have a user table which contains their Windows Login ID (NOT their Windows password), when they try to open the db, use fosUserName() (search for this simple function) and to keep it simple, DLookup the table for that value. If it isn't found, they don't get in.

If you're really so into passwords, then don't show them all the table values. Your form must have a user name field, no? Restrict the view to the password record for that user and don't have navigation controls on the form. Base the form on an updatable query, not the table, and filter the query via the login form user name. I stopped using login passwords long ago and nobody could get in if they weren't in the table. Of course, I had to make sure they couldn't access the tables, but that's another topic.

[alansidman]

In addition to Micron's suggestion, I like to restrict access to different portions of the db. This can be done through permissions. The attached is a rather lengthy thread but once in place is very effective.

https://www.mrexcel.com/forum/micros...ns-system.html

[Bulzie]

I use Active Directory in combination with a Custom Users table that contains user groups for limiting access.

But to your question above, when they put in their ID and password of "Password" for the reset, pop up an unbound form that only has 1 textbox field for the new password along with a Submit button. Once they put in new password and hit submit, use code to update their specific record with the new password, close that pop up form and pull up the main form. That way they only change their info. You could also put in a msgbox saying "Your password has been updated.".

dbs.Execute "UPDATE YourUserTable SET EmpPassword = '" & me.NewPassword & "' WHERE UserID = '" & Me.UserID & "';"

Not sure that syntax is all correct but you get the idea.