Configure self-service "I forgot my password"
Configure self-service "I forgot my password"
Web Central users who forget their password can request a new one, through a self-service password reset.
Password Reset Process
To launch a password reset, click I forgot my password at Web Central's sign-in page. A dialog box prompts you to confirm:
Click Yes to confirm a password reset. To initiate the reset process, the sign-in page:
- Generates a unique token , and saves it to the database: application parameter AbSystemAdministration-PasswordResetTokenExpiration specifies how much time elapses before the token expires.
- Sets a permission that allows requester to enter a new password while the session is active.
- Sends an email message to requester's email address: message contains link for Web Central's sign-in page, with the unique token as a parameter.
When requester opens the message and clicks the link, sign-in page locates token in the database. If token has expired or is absent, requester must restart the password reset process.
When sign-in page locates the token, Reset Password dialog box appears. Requester enters new password, and confirms the reset.
In response, sign-in page checks whether requester's session is still active, and whether requester's permission is set. If session is inactive, requester's permission is not set, or application server has restarted, requester must restart password reset process. If session is active and permission is set, sign-in page confirms password reset. Requester enters new password to sign into Web Central.
Process Settings
You can modify these application configuration parameters stored in the database:
| Application | Parameter | Value | Description |
|---|---|---|---|
| AbSystemAdministration |
PasswordResetTokenExpiration |
10 | Time period in minutes in which password reset token expires. |
| AbSystemAdministration | PasswordResetPermitted | 1 | Whether or not the system administrator allows users to reset their password. If not, the "I forgot my password" link is not shown on "Sign In" page. |
| AbSystemAdministration | GuestAccountPermitted | 1 | Whether or not the system administrator allows users to sign in as guest. If not, the "Sign in as guest" link is not shown on "Sign In" page. |
WebCentral deletes records with expired tokens from the database every 24 hours. This functionality is scheduled in the workflow rule passwordResetService . The workflow rule is enabled by default.
After requester confirms password reset, sign-in page sends an email message to requester's address.To modify the message's subject and body, edit the corresponding record in the “messages” table.
Note: If you modify the token expiration time set in AbSystemAdministration-PasswordResetTokenExpiration , modify expiration time in the sign-in page's outgoing email message as well.
See also