AI OnAI Off
Any configuration to require previous password when changing password?
For editors and admins...no. You can set the new password without the old.
For your other users, that is solution specific and needs to be built by a developer. Normally you have a link to a "change password" function on your profile page. Add an extra field to gui and easiest is to use the membership provider method change password in the backend...
var ICanHazSuccess = System.Web.Security.Membership.Provider.ChangePassword("Daniel", "oldpass", "newpass");
Edited,
Apr 26, 2016 13:30
Hi,
We recently found the same issue in a security audit. It has been reported to the support. I'll keep you posted about the outcome of it.
Apr 27, 2016 22:55
Thanks for the replies and Mattias for making a ticket for it.
In our case this is would be needed for editors and admins, figured that it would just be some sort of a setting in web.config to enable.
Apr 28, 2016 11:31
@MattiasBomelin
Hello again! Have you received any news regarding the ticket?
Oct 10, 2016 8:55
Sorry I haven't reported back here. Epi has accepted it as a bug and it's in their todo, no estimate on when it will be implemented though.
Oct 10, 2016 11:20
This topic was created over six months ago and has been resolved. If you have a similar question, please create a new topic and refer to this one.
Hey!
We had a security audit and they pointed out that changing an users password doesn't require the current password.
Is there a configuration or such that would enable requiring of the current password when an user is changing a password?
Thanks,
Jakke