The password change request expired. You should ask for a new one

[Bill Dalton]

Imported customer data from PS 5.6.3 to PS 8.1.2

The " forgot password email link will not allow reset of the passwords, messages,

"The password change request expired. You should ask for a new one."

Has anyone run into this?

[Nickz]

9 minutes ago, Bill Dalton said:

Has anyone run into this?

If a different key was used to incrypt, like the server was changed or the incryptions key was updated it can happen.

Edited October 1, 2023 by Nickz (see edit history)

[Bill Dalton]

Yes, I was using a module that created more robust password encryption. So, what would be a fix for me? I wonder if I could take a newly generated password key and copy that key to all customers. Everyone will need to regenerate the key anyway. But to allow them to do so is the problem.

[Nickz]

10 minutes ago, Bill Dalton said:

But to allow them to do so is the problem.

I would write all former customers an email, in this form: Thanks for being our customer,  we have updated your site, please create a new password as we also enhanced your security.  Maybe offering a 3% Discount for that issue.

Edited October 1, 2023 by Nickz (see edit history)

[Bill Dalton]

But the create a new password will not work for them. They will only get the error message, "The password change request expired. You should ask for a new one."

 

[Nickz]

7 minutes ago, Bill Dalton said:

But the create a new password will not work for them. They will only get the error message, "The password change request expired. You should ask for a new one."

Hmm is your mail server set up?
 

[Bill Dalton]

Yes, @Nickz, the email is working. I'll tell you what the problem is again. When you receive the email to reset your password and click on the link, the website gives the error: "The password change request expired. You should ask for a new one."

That's what needs to be fixed. 

[Nickz]

19 minutes ago, Bill Dalton said:

That's what needs to be fixed. 

obviuosly,  which modul handles that?

[Bill Dalton]

There is no module. I installed PS 8.1.2 and migrated the customers from the old PS 5.6.3. I knew the passwords would not be compatible because of a module I had in use on the old site. I knew that customers would need to update the password manually. However, I did not anticipate this problem. I hope someone who has had a similar problem might offer a solution.

[endriu107]

At first check in ps_customer table that users have filled passwd column.

[Bill Dalton]

@endriu107 yes sir! Did that, and all looks ok. I also created a new customer to compare that data, and the new customer data looks the same pretty much, however, the new customer created with PS 8.1.2 can use the forgot password function with no problems. I think I'll try copying the new password to one of the old customers, change the email to mine and see if it will allow it to update.

[Bill Dalton]

Yep, that's what it is. The format of the old password.

As stated, my old site is PS 1.5.6.3 - on that site; I installed a module that would increase password security.

Password recovery & High-Security Password Storage
Developed by:MADEF IT|Version:1.1.1

He is no longer updating the module because newer versions of PS have better password handling. Unfortunately for me and my customers, there isn't any way to use the passwords after migrating to PS 8.1.2. And now, in addition to that, the password format is causing the forgot password routine to fail.

Because none of the passwords would work anyway, I can copy an updated password in the new format into each customer record, allowing the customer to use the forgot password method.

However, I think a more elegant method will be to install some code to check if email exists at login, display notice of needing to upgrade password, send email verification and allow password upgrade.