DBAsupport.com Forums - Powered by vBulletin
Results 1 to 4 of 4

Thread: Changing an expired password

  1. #1
    Join Date
    Jun 2002
    Location
    Longmont, Colorado
    Posts
    174

    Changing an expired password

    When a user's password in Oracle has expired, is the only way for that user to be able to get in and change their password is by using sqlplus??

    I ask this because, what I see happen is this:

    When a user tries to login after his password has expired (using sqlplus), sqlplus immediately prompts for a new password. So I can see that oracle initiates a request from the user. Sqlplus seems to handle this nicely - prompts the user and waits for a response. But how can I handle this outside of sqlplus. I see that not even sqlplus worksheet handles this type of request from the database.

    My users don't have sqlplus and we've setup a simple web form that allows them to change their password. This works only if their password has not expired. The web form simply asks the user to enter their username, connect_string, old password, new password (and retype new password), and when the "submit" button is pressed, all the web form does is pass the following sql:

    connect username/password@connect_string
    alter user username identified by new_password replace old_password;

    Very simple (as you can see).

    But this, again, does not work when the password is expired because Oracle immediately requests for a new password.

    Has anyone addressed this? How?

  2. #2
    Join Date
    Sep 2002
    Location
    England
    Posts
    7,334
    you have to code for it in your app (like sqlplus does)

    or get the dba to do it...

  3. #3
    Join Date
    Jun 2002
    Location
    Longmont, Colorado
    Posts
    174
    So you mean we have to make our little web form a little more smarter to be able to accept requests from oracle.

    I am the dba, and I don't know what I can do from the database side to help this. All of this happens right when the user is tryig to connect.

    One thing I have found that I can do is this:

    Since the web form simply passes a command string, like "sqlplus username/old_password@connect_string"...

    We can simply add this at the end: < passwd.txt

    In other words:

    sqlplus username/old_password@connect_string < passwd.txt

    And the contents of passwd.txt is simply this 2 lines:

    new_password
    new_password

    This would essentially take care of responding to the database request to changed the expired password.

    I'm wondering if there are any other arguments that sqlplus accepts at the command line that would make this more easier??

  4. #4
    Join Date
    Aug 2002
    Location
    Atlanta
    Posts
    1,187
    query against dba_users for the account status and handle expired passwords
    as part of the login.

    I don't see any bind variables in your original code snippet leaving you open to
    sql injection
    Last edited by stmontgo; 05-04-2005 at 03:03 PM.
    I'm stmontgo and I approve of this message

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  


Click Here to Expand Forum to Full Width