Answered Forgot Password Length TOO SMALL...

hello folks,

i mentioned this over @ https://forums.modx.com/thread/99941/login-register---404-error?page=3#dis-post-541118
...but since it's off-topic from that, i'm creating this new topic.

i've discovered (after getting all the complaints & having to fix manually all the people who's having this problem) that the "Forgot Password" option auto-generates an 8 character password. but it never works to sign-in with because i have all my validation set to 10 characters.

i would prefer not to have to drop my password registration/login validation to 8 characters, but if there's no solution, i realize i'll have to.

so i went hunting first & found in the System Settings > Core listing a couple parameters that seem to me should fix this to my preference... but they aren't working.
they are...

• Password Auto-Generated Length "password_generated_length" which defaults to "8" (https://rtfm.modx.com/revolution/2.x/administering-your-site/settings/system-settings/password_generated_length)

• Minimum Password Length "password_min_length" which also defaults to "8" (https://rtfm.modx.com/revolution/2.x/administering-your-site/settings/system-settings/password_min_length)

so i changed them to 11 & 10 respectively. but the forgot password emails STILL are only sending 8 character passwords.

am i missing something?
thanks!!! [ed. note: syberknight last edited this post 7 years, 11 months ago.]

anyone? no one?

Hmm this is interesting, I guess Revo system settings not being passed to login...

Quote from: nuan88 at May 03, 2016, 06:22 AM

Hmm this is interesting, I guess Revo system settings not being passed to login...

hi Nuan88,

yeah, i find all the interesting issues, huh?! ;-)

i am stumped, yet again. i've searched these forums, the modx site, & many many many google results pages. not found anything about this. the only similar things that mention it is that it's there & can be used.

anybody? nobody? Bob? devs?

I can confirm that Susan's solution is the best way to do it. The only other way would be to alter the generatePassword() call in line 210 of ForgotPassword.php and that wouldn't affect other possible places where the function is called.

The good news is that the Login package is very seldom updated, though personally, I wouldn't mind seeing it rewritten from scratch.

@sottwell: THANK YOU SO MUCH!!! i've changed that & it's working fine.

@BobRay: THANK YOU TOO for the confirmation.

BUT NOW, how do you guys deal with people who sign up, but don't click the activation link before it expires?
do you send them to RE-REGISTER or send them to the FORGOT PWD option?

if RE-REGISTER... wouldn't that then conflict with the non-activated account they've already created?

if FORGOT PWD... after testing, this option does not "Activate" the user, only resets the password. so how would you get this to also Activate them?

i've had my hands full this week'n'last with people who fit this scenario & i'm having to go in & manually "Activate" them AND reset their password.

Also, BOBRAY... how viable is your "Subscribe" Extra as a full replacement for the "Login" Extra? does it do all the same features?

THANKS!!!

The Register process creates the user, complete with username and password, so if you just manually activate the user, they should be able to log in with their original username and password. so far, I've almost never had to reset anyone's password.

Subscribe is mostly just a wrapper for the Login extra's registration process. It doesn't really replace it. It's just intended to make it easier to set up and to add the option of user-selected interests and group membership.

Quote from: BobRay at May 05, 2016, 04:58 AM

The Register process creates the user, complete with username and password, so if you just manually activate the user, they should be able to log in with their original username and password. so far, I've almost never had to reset anyone's password.

Thanks for the reply Bob!

yeah, i know i can manually activate users as well as reset their passwords from the Manager. i'm just trying to figure out a way to not have to do that.

i had a few issues out-the-gate and had a TON of users i had to do both for. i THINK i've gotten those issues fixed, but it'd still be nice in case there are further problems, if i could just direct people what to do instead of do it myself.

i have figured out via testing that if a user fails to click the activation email/link before it expires, that they 'can' simply re-register & do it again just fine. but that poses 2 potential problems that i can see...
1) what if they don't use the same information (username/email), then there could be left a dead account in the system; which is only a big deal for my OCD ;-)
2) they could decide that it's too much trouble & go away altogether.

ideally (i think), there should be some way for either the Forgot Password to be able & activate an account when its link is clicked, or have a separate mechanism/option to resend the activation link if user enters an email address that matches a non-activated account.

do you know of a way to accomplish this (within reason)?

also, thanks for the info on Subscribe.