Adding forced password reset?

Cantor, Scott cantor.2 at
Thu Apr 17 12:57:37 EDT 2014

On 4/17/14, 12:54 PM, "Paul Hethmon" <paul.hethmon at>
>Having the change password page behind SSO can leave a hole open to the
>forced password change. User logs in, gets Shib session, directed to
>change password. Simply ignores it and accesses their original target.
>Previous session handler sends them to the original target. Just be aware
>it's a circumstance you have to allow for.

Yeah, "force" is something only the authentication system can impose, but
reminding is what we do. My custom handler contribution includes a
submodule that detects password age based on a resolved attribute and
drops a cookie to track reminders every so many hours.

-- Scott

More information about the users mailing list