2015-01-07

Hello everyone, I'm new to ASP. I'm trying to do is if the user forgot the password, will ask for email and he/she goes to email retrieve the same password from the database. My problem is the database password is all encrypted and if i retrieve it is gonna show the encrypted password as well. Please help. Thanks

Expand|Select|Wrap|Line Numbers

<!--#include file="include_login_header.asp" -->

<%@Language = JScript %>

<% Response.Buffer = true; %>

<!--#include virtual="/medacist_admin/globals.asp" -->

<%

if (String(Session("health_system_code")).replace("undefined","") == "" ||

String(Session("facility_code")).replace("undefined","") == "" ||

String(Session("username")).replace("undefined","") == "") {

Response.Write("Please <a target=\"_blank\" href=\"" + BASE_HOST_URL + "/login/" + "client_login.asp\">login</a>");

Response.End();

}

var mregion = String(Session("region")).replace("undefined","");

%>

<br>

<div align=center>

<link rel="stylesheet" href="css/styles.css">

<h2>Medacist Client Services - Change Password</h2>

<%

var sErrorDisplay="";

// make sure you can't get to new_password directly.

if (String(Session("one_time_use_flag")) == "Y") {

Response.Redirect("new_password.asp");

}

if (Request.ServerVariables("REQUEST_METHOD") == "POST") {

var nFailureCount=0;

nFailureCount = Session("failure_count")==undefined ? 0 : Session("failure_count");

var sError ="";

var sOldPass = String(Request.Form("old_password")).replace("undefined","");

var sNewPass = String(Request.Form("new_password")).replace("undefined","");

var sConfirmNewPass = String(Request.Form("confirm_new_password")).replace("undefined","");

if (sOldPass == "") {

sError += ",Old Password is required";

}

if (sNewPass == "") {

sError += ",New Password is required";

}

if (sConfirmNewPass == "") {

sError += ",Confirm Password is required";

}

if (sNewPass != sConfirmNewPass) {

sError += ",New password and Confirm New password do not match";

}

var rsOldPass = execSQL("select cast(md5(?)as char) hash_password, medacist_password " +

" from medacist_user " +

" where health_system_code = ? " +

" and facility_code = ? " +

" and username = ? ",

Array(sOldPass,Session("health_system_code"),Session("facility_code"),Session("username")));

if (String(rsOldPass.fields("medacist_password").value) != String(rsOldPass.fields("hash_password").value)) {

if (nFailureCount >= Application("MAX_ATTEMPT")) {

execSQL("update medacist_user set locked_out_flag = 'Y', locked_out_date_time=Now() " +

" where health_system_code = ? and facility_code = ? and username = ?",

Array(Session("health_system_code"),Session("facility_code"),Session("username")));

logAccess(Session("health_system_code"),Session("facility_code"),Session("username"),"LOCKOUT","failure. Max attempt count exceeded. Account has been locked out. failure count:" + nFailureCount);

Session.Abandon();

Response.Redirect("account_locked.asp");

}

nFailureCount++;

logAccess(Session("health_system_code"),Session("facility_code"),Session("username"),"CHANGE_PASSWORD","failure. failure count=" + nFailureCount + " ,password attempted:" + sOldPass);

Session("failure_count") = nFailureCount;

sError += ",Old Password is incorrect";

}

if (sError.length == 0 ) {

var rsPass = execSQL("select medacist_password " +

" from medacist_password_hist " +

" where health_system_code = ? " +

" and facility_code = ? " +

" and username = ? ",

Array(Session("health_system_code"),Session("facility_code"),Session("username")));

if (!rsPass.Eof) {

while (!rsPass.Eof && sError.length == 0) {

if (sNewPass == rsPass.fields("medacist_password").value) {

sError += ",Passwords cannot be reused.";

} else if (sNewPass.indexOf(rsPass.fields("medacist_password").value)>-1) {

sError += ",New password is too similiar to previous one";

}

rsPass.moveNext();

}

}

}

// check if it's legal

if (sError.length==0) {

if (!validatePassword(sNewPass)) {

sError += ",Invalid password. Must contain upper and lower case letters, Contain numbers, Between 8 and 12 characters in length,Contain a symbol"

}

}

if (sError != "") {

sError = sError.substr(1);

var vError = sError.split(",");

sErrorDisplay = "<ul>";

for (var v in vError) {

if (vError[v] != "")

sErrorDisplay += "<li>" + vError[v] + "</li>\n";

}

sErrorDisplay += "</ul>";

} else {

execSQL("update medacist_user \n" +

" set password_creation_date_time = Now(), \n" +

" password_expiration_date_time = date_add(now(),INTERVAL ? DAY), \n" +

" medacist_password=md5(?), \n" +

" one_time_use_flag='N'  \n" +

" where health_system_code= ?  \n" +

" and facility_code = ?  \n" +

" and username = lower(?)",Array(PASSWORD_EXPIRATION,sNewPass,Session("health_system_code"),Session("facility_code"),Session("username")));

execSQL("insert into medacist_password_hist (health_system_code,facility_code," +

" username,medacist_password) values (?,?,?,?)",

Array(Session("health_system_code"),Session("facility_code"),Session("username"),sOldPass));

logAccess(Session("health_system_code"),Session("facility_code"),Session("username"),"CHANGE_PASSWORD","success. password changed");

var rsExpire = execSQL("select DATE_FORMAT(password_expiration_date_time,'%m/%e/%Y %H:%i:%s')  password_expiration_date_time " +

" from medacist_user where health_system_code= ? and facility_code = ? and username = lower(?)",

Array(Session("health_system_code"),Session("facility_code"),Session("username")));

Session("logged_in") = "Y";

Session("failure_count") = 0;

Session("password_expiration_date_time") = rsExpire.fields("password_expiration_date_time").value;

if (mregion == null  || mregion == '') {

Response.Write("Password changed. <a href=\"client_data.asp\">Click here</a> to continue.");

} else {

Response.Write("Password changed. <a href=\"client_data_S.asp\">Click here</a> to continue.");

}

Response.End();

}

}

Response.Write(sErrorDisplay);

%>

<form name="change_password" action="<%=BASE_HOST_URL + /login/%>change_password.asp" method="post">

<table>

<tr><td>Health System code</td><td><%=Session("health_system_code")%></td></tr>

<tr><td>Facility code</td><td><%=Session("facility_code")%></td></tr>

<tr><td>User Name</td><td><%=Session("username")%></td></tr>

<tr><td>Old Password</td><td><input type="password" name="old_password"></td></tr>

<tr><td>New Password</td><td><input type="password" name="new_password"></td></tr>

<tr><td>Confirm New Password</td><td><input type="password" name="confirm_new_password"></td></tr>

</table>

<table width="400"><tr><td bgcolor="#ffffcc">

Note that passwords must contain a mixture of upper and lower case letters, numbers, be between 8 and 12 characters in length and contain a symbol.

</td></tr></table>

<br>

<input type="submit" value="Change Password">

</form>

</div>

<!--#include file="include_login_footer.asp" -->

Show more