password_expiration.rdoc

doc/password_expiration.rdoc
Last Update: 2020-04-07 11:37:59 -0700

Documentation for Password Expiration Feature

The password expiration feature requires that users change their password on login if it has expired (default: every 90 days). You can force password expiration checks for all logged in users by adding the following code to your route block:

rodauth.require_current_password

Additionally, you can set a minimum amount of time after a password is changed until it can be changed again. By default this is not enabled, but it can be enabled by setting allow_password_change_after to a positive number of seconds.

It is not recommended to use this feature unless you have a policy that requires it, as password expiration in general results in users chosing weaker passwords. When asked to change their password, many users choose a password that is based on their previous password, so forcing password expiration is in general a net loss from a security perspective.

Auth Value Methods

allow_password_change_after

How long in seconds after the last password change until another password change is allowed (always allowed by default).

password_change_needed_redirect

Where to redirect if a password needs to be changed.

password_changed_at_session_key

The key in the session storing the timestamp the password was changed at.

password_expiration_changed_at_column

The column in the password_expiration_table containing the timestamp

password_expiration_default

If the last password change time for an account cannot be determined, whether to consider the account expired, false by default.

password_expiration_error_flash

The flash error to display when the account’s password has expired and needs to be changed.

password_expiration_id_column

The column in the password_expiration_table containing the account’s id.

password_expiration_table

The table holding the password last changed timestamps.

password_not_changeable_yet_error_flash

The flash error to display when not enough time has elapsed since the last password change and an attempt is made to change the password.

password_not_changeable_yet_redirect

Where to redirect if the password cannot be changed yet.

require_password_change_after

How long in seconds until a password change is required (90 days by default).

Auth Methods

password_expired?

Whether the password has expired for the related account.

update_password_changed_at

Update the password last changed timestamp for the current account.