U4-10849 - Umbraco user field "User Last updated" and "last locked date" not updating after password change / account locking..

Created by Ranjit J. Vaity 18 Jan 2018, 13:57:09 Updated by Ranjit J. Vaity 20 Aug 2018, 08:57:32

Tags: Up For Grabs PR Consider for sprint

Is duplicated by: U4-10819

Subtask of: U4-11011

Hello Team,

Thank your for wonderful CMS and community. :)

Umbraco CMS version: 7.7.1

What did you do? I have written a funtionality that will trigger a Job that runs daily mid-night to check all the users whose password is not changed for n days (Configured to 6 months = 180 days). Email notifications will start 15 days before expiry date. and if user changes password, "Password Last Changed" is expected to be updated with current date but this does not happen as db field stays NULL.

Create couple of users in Umbraco instance.

  1. Reset the password for one user using dashboard->Users sections->Click on User (and change password)
  2. On Umbrabo Login page, click "Forgotten Password", provoide valid email and reset the password. In both case you are able to change to new password

What did you expect to happen? I expect User db field "Password Last Changed" to be updated with new current dates.

What actually happened? By default this field is NULL in the db and stays NULL even after multiple password change. Just to mention "User Last updated" date changes as expected but on Password field. Please see the attached file. Password is changed on 18 Jan 2018. But password last changed remains as NULL.

Please help !

Thanks, Ranjit J. Vaity

3 Attachments

Download log.txt

Comments

Sebastiaan Janssen 18 Jan 2018, 14:09:23

Seems like a bug.

Note: password expiry is not best practice any more and actually considered to weaken security. You shouldn't do it. https://www.ncsc.gov.uk/articles/problems-forcing-regular-password-expiry

Still, we should update dates when changes occur. If anyone has some time to look at this problem then we'd be happy to look at a pull request to fix this.


David Houghton 13 Feb 2018, 15:52:06

Currently experience the same/similar issue which lead me to this bug

Umbraco 7.4.3

We have a base of around 2000 members. member accounts are locked after three failed password attempts, at which point we manually unlock the account when requested by the member.

What did you do? Removed lock from members account and reset password.

What did you expect to happen? Expected account to remain unlocked and failed attempts to revert to zero

What actually happened? Account reverts back to locked when user next tries to login, but the last locked out date is not updated. Nothing failed login attempt entries or lock out messages in Umbraco logs.

Additional info: As with Ranjit, we also have 4 tasks executing (via HangFire, at 15 minutes intervals, 2 of which interact with member data) which pull down information regarding member subscriptions from a third party.

The problem for ourselves seems to occur whilst the task is running. You can see from the images provided taken twenty minutes apart today that my account has reverted to locked, failed attempts has reverted to three, with no attempts to log in, as well as no change to the lockout date.

We have no logic regarding member lockout/reactivation/failed password reset etc. present in the site codebase at our clients request.

Log excerpt attached, some user/back office data starred out. Any help/insight is appreciated.


Sam 22 Feb 2018, 04:27:11

I've fixed the issue and created a pull request here: https://github.com/umbraco/Umbraco-CMS/pull/2463


Shannon Deminick 26 Feb 2018, 01:52:45

Another PR for this one: https://github.com/umbraco/Umbraco-CMS/pull/2461 which is a simpler approach but doesn't solve the underying problem if the API is used differently


Sam 26 Feb 2018, 02:14:16

@Shandem the problem occurs in three different places that I know of: 1. change password on your own profile 2. change password in user section 3. change password after password reset. That's why I changed it in this underlying spot to address all three in the same spot.


Shannon Deminick 26 Feb 2018, 02:15:27

Yup all good! Just wanted to make a note that we've got another one to review too, awesome work! we'll keep you posted when we get to reviewing


Sam 26 Feb 2018, 02:53:22

­čĹŹ cheers :)


Ranjit J. Vaity 20 Aug 2018, 08:57:32

Hello All, Thank you very much for efforts and time┬Ę. Much appreciated┬Ę

BR Ranjit


Priority: Normal

Type: Bug

State: Fixed

Assignee: Umbraco

Difficulty: Normal

Category: Architecture

Backwards Compatible: True

Fix Submitted: None

Affected versions: 7.4.3, 7.7.1

Due in version: 7.12.0

Sprint:

Story Points:

Cycle: