Page 1 of 2 12 LastLast
Results 1 to 10 of 18
  1. #1
    Join Date
    Feb 2012
    Location
    Costa Mesa, CA
    Posts
    10
    Plugin Contributions
    0

    red flag Password Expired - New Password Rejected - Always No Matter What

    [Note: remember to include site URL, ZC version, list of plugins, PHP version, etc ... read the Posting Tips shown above for information to include in your post here.

    Site URL: https://mservicegroup.com/
    ZC Version: 1.5.7a (problem goes back to at least 1.5.6)
    Plug-ins: Mobishop Template, AJAX One Page Checkout, Fedex_Web_Services, TXP Payment Gateway, Quick Updates, Multi-Cross-Sell, Microformats-RichSnippets, Sitemap_XML, Easy_Populate

    Every 90 days or whenever Passwords Expire, I am prompted to change my password except that changing my password using that "Password Expired" webpage fails.

    I replace it with unique, randomly generated 16, 18, and 20 alphanumeric + symbol passwords. These always fail whether on the Admin side or the User side.

    The only thing that works and I am forced to do to, is use the Forgot Password link. Only this method successfully changes my password.

    Unfortunately, my customers are not that patient and I've lost customers. A few told me it's too much trouble and they've ordered elsewhere. Others just don't come back.

    Please help,
    Chase

    Name:  Screen Shot 2021-08-02 at 1.08.42 PM.jpg
Views: 455
Size:  23.5 KB
    P.S.: Additional bug with this Forum: inserting any attachments "inline" overwrites the entirely previously written post if post was selected!

  2. #2
    Join Date
    Jan 2004
    Posts
    66,364
    Blog Entries
    7
    Plugin Contributions
    274

    Default Re: Password Expired - New Password Rejected - Always No Matter What

    Quote Originally Posted by mservice View Post
    Unfortunately, my customers are not that patient and I've lost customers. A few told me it's too much trouble and they've ordered elsewhere. Others just don't come back.
    There's no "forced password change" for a store's customers. Only the Admin.
    .

    Zen Cart - putting the dream of business ownership within reach of anyone!
    Donate to: DrByte directly or to the Zen Cart team as a whole

    Remember: Any code suggestions you see here are merely suggestions. You assume full responsibility for your use of any such suggestions, including any impact ANY alterations you make to your site may have on your PCI compliance.
    Furthermore, any advice you see here about PCI matters is merely an opinion, and should not be relied upon as "official". Official PCI information should be obtained from the PCI Security Council directly or from one of their authorized Assessors.

  3. #3
    Join Date
    Feb 2012
    Location
    Costa Mesa, CA
    Posts
    10
    Plugin Contributions
    0

    Default Re: Password Expired - New Password Rejected - Always No Matter What

    If a customer has not logged in for x days, isn't that customer asked to update their password?

    And nonetheless, what should I as an Admin do since this password expiration caused password change prompt does not work? I am happy to privately share info for troubleshooting.

  4. #4
    Join Date
    Jan 2004
    Location
    N of San Antonio TX
    Posts
    9,106
    Plugin Contributions
    11

    Default Re: Password Expired - New Password Rejected - Always No Matter What

    As the doctor said, the customer is not presented with a password change UNLESS they request a change when they forget their password.

    As your image shows, the problem is on the admin side. History has shown us that your SSL and 301 redirects can have a similar effect on the password change.

    Your SSL is set for your site WITHOUT the www. However, your site will accept www in the URL when trying to access the site.

    This is not acceptable to most search engines and will get you a hit as duplicate listing as https://YOUR_SITE.com is different from https://www.YOUR_SITE.com.

    The admin is more "picky" when it comes to the match.

    For example, we have found that accessing the admin with other than an SSL-matching URL can cause the problem you are seeing.

    Some of our customers set their bookmarks before finding that we issue SSLs without the www. So, they were trying to change the password and the system was saying, "You're coming from a place that's NOT protected."

    The quickest fix is to make sure you are accessing the admin WITHOUT www in the URL and make sure something doesn't change that during the process. (i.e., a link in your admin that has www in it.)

    For the long haul, we recommend our customers put a 301 redirect in a .htaccess file in the root of the site. If you have cPanel, it will do that for you but, make sure you select Do Not Redirect www.

    If that option is not available to you in your management panel, there is a free generator that creates the following:
    Code:
    # Needed before any rewritingRewriteEngine On
    
    
    ### Built using the .htaccess 301 Redirect Generator from Web Site Advantage
    ### https://websiteadvantage.com.au/HtAccess-301-Redirect-Generator
    ### Place after 'RewriteEngine On' and before any CMS specific rewrite rules
    
    
    # Redirect HTTP with www to HTTPS without www
    RewriteCond %{HTTPS} off
    RewriteCond %{HTTP_HOST} ^www\.(.+)$ [NC]
    RewriteRule .* https://%1%{REQUEST_URI} [R=301,L]
    # Redirect HTTP without www to HTTPS without www
    RewriteCond %{HTTPS} off
    RewriteCond %{HTTP_HOST} !^www\. [NC]
    RewriteRule .* https://%{HTTP_HOST}%{REQUEST_URI} [R=301,L]
    # Redirect HTTPS with www to HTTPS without www
    RewriteCond %{HTTPS} on
    RewriteCond %{HTTP_HOST} ^www\.(.+)$ [NC]
    RewriteRule .* https://%1%{REQUEST_URI} [R=301,L]
    
    
    ## 301 Redirects
    Whether you do it with cPanel, some other management system, or by adding the above code to your .htaccess file; it should cure the problem.

  5. #5
    Join Date
    Apr 2013
    Location
    eglisau switzerland
    Posts
    567
    Plugin Contributions
    0

    Default Re: Password Expired - New Password Rejected - Always No Matter What

    Admin passwords are letters and numbers, no symbols.

  6. #6
    Join Date
    Feb 2012
    Location
    Costa Mesa, CA
    Posts
    10
    Plugin Contributions
    0

    Default Re: Password Expired - New Password Rejected - Always No Matter What

    Thank you dbltoe but that did not solve the problem.

    Yes, I have CPanel but to to prevent "www" redirects I also added precisely the 301 redirect manually to .htaccess at root level.
    This had no affect and there never appeared to be any redirects occurring anyway.

    Marton, I've tried using new alphanumeric passwords from 14 characters to 22, with symbols and without, always randomly generated w Password Manager. Note that the Zen-Cart message specifically states the only requirements are longer than 7 characters and not re-used. Not using symbols is not PCI Compliant, by the way.

    Nevertheless, the new password is rejected every single time.

    At this point, I give up and will use the forgot password reset, as I've been forced to do every 90 days for the past couple of years until this bug gets solved.

  7. #7
    Join Date
    Jan 2004
    Location
    N of San Antonio TX
    Posts
    9,106
    Plugin Contributions
    11

    Default Re: Password Expired - New Password Rejected - Always No Matter What

    Quote Originally Posted by mservice View Post
    Yes, I have CPanel but to to prevent "www" redirects I also added precisely the 301 redirect manually to .htaccess at root level.
    This had no affect and there never appeared to be any redirects occurring anyway.
    The 301 is now working correctly.

    Sounds as if you have a hung up database.

    After doing the new admin password, delete your admin account and then re-enter the data.

  8. #8
    Join Date
    Nov 2005
    Location
    los angeles
    Posts
    2,669
    Plugin Contributions
    11

    Default Re: Password Expired - New Password Rejected - Always No Matter What

    Quote Originally Posted by mservice View Post
    At this point, I give up and will use the forgot password reset, as I've been forced to do every 90 days for the past couple of years until this bug gets solved.
    • its great that you have a workaround for a very annoying problem.
    • personally, i find it very frustrating whenever i have difficulty changing a password on a website.
    • as you seem to be the only one having this specific problem, i would not call it a bug.
    • if this were truly a bug, many more people would be complaining about it.
    • most of the password functions are in this file:
      https://github.com/zencart/zencart/b...min_access.php
    • i would compare this version of the file with your version on your server.

    best.
    author of square Webpay.
    mxWorks has premium plugins. donations: venmo or paypal accepted.
    premium consistent excellent support. available for hire.

  9. #9
    Join Date
    Apr 2013
    Location
    eglisau switzerland
    Posts
    567
    Plugin Contributions
    0

    Default Re: Password Expired - New Password Rejected - Always No Matter What

    Quote Originally Posted by mservice View Post
    Thank you dbltoe but that did not solve the problem.

    Yes, I have CPanel but to to prevent "www" redirects I also added precisely the 301 redirect manually to .htaccess at root level.
    This had no affect and there never appeared to be any redirects occurring anyway.

    Marton, I've tried using new alphanumeric passwords from 14 characters to 22, with symbols and without, always randomly generated w Password Manager. Note that the Zen-Cart message specifically states the only requirements are longer than 7 characters and not re-used. Not using symbols is not PCI Compliant, by the way.

    Nevertheless, the new password is rejected every single time.

    At this point, I give up and will use the forgot password reset, as I've been forced to do every 90 days for the past couple of years until this bug gets solved.
    You posted " the Zen-Cart message specifically states the only requirements are longer than 7 characters and not re-used."

    Note it also states "Passwords must contain letters and numbers".

  10. #10
    Join Date
    Feb 2006
    Location
    Tampa Bay, Florida
    Posts
    9,622
    Plugin Contributions
    123

    Default Re: Password Expired - New Password Rejected - Always No Matter What

    Quote Originally Posted by mservice View Post
    what should I as an Admin do since this password expiration caused password change prompt does not work?
    It could be that your password manager is causing this failure; try changing your password in a browser where you are not running (or logged out of) your password manager, and then save your new password in your password manager.
    That Software Guy. My Store: Zen Cart Modifications
    Available for hire - See my ad in Services
    Plugin Moderator, Documentation Curator, Chief Cook and Bottle-Washer.
    Do you benefit from Zen Cart? Then please support the project.

 

 
Page 1 of 2 12 LastLast

Similar Threads

  1. v155 Password update rejected - locked out of Admin
    By hspadoni in forum General Questions
    Replies: 2
    Last Post: 3 Oct 2016, 04:49 PM
  2. Replies: 1
    Last Post: 1 Feb 2015, 03:12 PM
  3. v150 admin password expired, won't reset, will not send new password to email
    By baltimorestreetmods in forum General Questions
    Replies: 2
    Last Post: 6 Sep 2012, 07:16 PM
  4. Replies: 6
    Last Post: 10 Jun 2010, 01:13 PM
  5. New Password from Forgotton Password does not work
    By JackQBTeK in forum General Questions
    Replies: 1
    Last Post: 14 Jan 2007, 09:42 PM

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  
disjunctive-egg
Zen-Cart, Internet Selling Services, Klamath Falls, OR