ResetPassword URL

Resets or updates passwords of users. This command works regardless of the authentication mode: Database, LDAP or Third Party.

The ResetPassword function can be used by the following users:

  1. Registered storefront users and administrators, to update their own passwords, while authenticated.
  2. Registered users who want to log on but have forgotten their password. They can use this command to reset their password without logging in. There are three methods that you can use to generate a temporary login for the user:
    1. A randomly generated password is emailed to the registered user. This method is now deprecated.
    2. A long validation code that is based upon their ID and other information is emailed to the user. The user then enters the validation code along with a new password to update their login credentials. This method is now deprecated.

      For more information, see Configuring Reset Password to use long validation codes.

Use this URL with SSL (Secure Sockets Layer) to ensure that the logon password and personal information are encrypted. To do so, type the URL with the HTTPS secure protocol.

Warning: Only use HTTP POST with this URL. By using HTTP GET, passwords can be logged in the browser history, or in web server logs.

URL structure

http:// host_name/path/
The fully qualified name of your HCL Commerce Server and the configuration path

Parameter values

langId
Sets or resets the preferred language for the duration of the session; the supported languages for a store are found in the STORELANG table
URL
The URL to be called when the command completes successfully
storeId
The reference number of a store
reLogonURL
The URL to which the ResetPassword command is redirected in the case of an error condition
logonId
The logon ID of the user whose password is to be reset
challengeAnswer
Answer to the challenge question; used to confirm the identity of the user
logonPassword
The new password of the user
logonPasswordOld
The current password of the user
logonPasswordVerify
The verified password of the user, which must be identical to logonPassword
validationCode
The randomly generated code that is emailed to the registered user.

Example 1: Reset password while unauthenticated (emails a temporary password)

Note: This option is deprecated with Version 9.1.7.0 and will be removed from a future version of the product.

This example resets a password by providing the logonId and the challenge answer for registered users who may have forgotten their password. Note that as they have forgotten their password, they need to run as guest:

https://myhostname/webapp/wcs/stores/servlet/ResetPassword?URL=basemall.jsp
    &logonId=a&challengeAnswer=a

If the user is a guest, the command verifies that the supplied answer to the challenge question matches the one in the database. If the match is successful, it generates an arbitrary password, updates the database, and emails the password to the user (identified by the value of the logonId parameter).

Example 2: Reset password while authenticated

This example resets a password by specifying the old and new passwords for registered users who want to update their passwords:


    https://myhostname/webapp/wcs/stores/servlet/ResetPassword?URL=basemall.jsp   
&logonPasswordOld=a&logonPassword=b&logonPasswordVerify=b

If the user is a registered customer, or administrator, it verifies that the old password is correct and that the new password matches the verified password. It also verifies that the password complies with requirements defined by this user's password policy. If all conditions are satisfied, it updates the database with the new password.

Example 3: Reset password while unauthenticated (emails a validation code)

This example requires two steps:
  1. Resets a password by providing the logonId and the challenge answer for registered users who may have forgotten their password.
    Note: As they have forgotten their password, they need to run as a guest:
    https://myhostname/webapp/wcs/stores/servlet/ResetPassword?logonId=jsmith&challengeAnswer=TheRedFoxFlies&URL=LogonForm

    If the user is a guest, the command verifies that the supplied answer to the challenge question matches the one in the database. If the match is successful, it generates a validation code, and emails the code to the user.

  2. Enters the validation code, new password, and new password verification. This step must be completed within the time frame that is specified in ResetPasswordGuestCmdImpl.getExpiryPeriod() which defaults to 30 minutes.
    https://myhostname/webapp/wcs/stores/servlet/ResetPassword?validationCode=289213&logonPassword=Just4Fun!&logonPasswordVerify=Just4Fun!&URL=LogonForm
    

Behavior

  • This command calls the following task commands:
  • The command checks the required parameters. If the parameters are missing or invalid, it sets one of the error tasks with the appropriate error codes.
  • If the registered user is running as a guest customer, it verifies that the supplied answer to the challenge question matches the one in the database. If the match is successful, it generates an arbitrary password, updates the database, and emails the password to the customer (identified by the value of the logonId parameter).
    Note: Optionally, the command can be configured to email a validation code instead. The user would then specify the validation code along with a new password to update their password.
  • If the user is a registered customer or administrator and is currently logged on, it verifies that the old password is correct and the new password matches the verified password. It also verifies that the password complies with requirements defined by this user's password policy. If all conditions are satisfied, it updates the database with the new password.
  • When the command successfully completes, it calls the specified URL.
  • Users who have been given a randomly generated password by the Reset Password command, and authenticate against the HCL Commerce database, will need to change their password after the first logon with that new password.

Exception conditions

On an error condition, if you specify an error URL in the reLogonURL parameter, the ResetPassword command gets redirected to that URL and an error code is placed on the request. Otherwise, if you do not use the reLogonURL parameter, the command will throw an ECApplicationException and redirect to a error view depending on user identity. You can obtain the error code by using the class ErrorDataBean.

If a required parameter is missing or incorrect, the ResetPassword command sets one of the following error codes, depending on the identity of the requester. These error codes get added to the specified error URL if you use the reLogonURL parameter:

Error view based on identity:

Registered user
ResetPasswordRegisterErrorView
Guest user
ResetPasswordGuestErrorView

Error conditions and associated error codes:

Command requester Error condition and associated error code
Guest or a logged in user.
Missing URL parameter.
ECSecurityConstants.ERR_MISSING_REDIRECTURL (1000)
Note: In this case, the command will redirect to the ResetPasswordView error view.
Guest
The logonId is missing.
ECSecurityConstants.ERR_MISSING_LOGONID (2000)
The logonId does not belong to a valid registered user.
ECSecurityConstants.ERR_INVALID_LOGONID (2010)
The challenge answer was not supplied.
ECSecurityConstants.ERR_MISSING_CHALLENGEANSWER (1010)
The challenge answer supplied is incorrect.
ECSecurityConstants.ERR_INVALID_CHALLENGEANSWER (1020)
The e-mail address for the supplied logonId is missing.
ECSecurityConstants.ERR_MISSING_EMAIL (2100)
The user account is disabled.
ECSecurityConstants.ERR_DISABLED_ACCOUNT (2110)
Validation code is incorrect
ECSecurityConstants.ERR_INVALID_VALIDATION_CODE (2190)
Validation code has expired
ECSecurityConstants.ERR_EXPIRED_VALIDATION_CODE (2195)
The parameter logonPassword is missing.
ECSecurityConstants.ERR_MISSING_NEWPASSWORD (2060)
The parameter logonPasswordVerify is missing.
ECSecurityConstants.ERR_MISSING_NEWPASSWORDVERIFY (2070)
Logged in user
The logonPasswordOld parameter is missing.
ECSecurityConstants.ERR_MISSING_OLDPASSWORD (2040)
The parameter logonPassword is missing.
ECSecurityConstants.ERR_MISSING_NEWPASSWORD (2060)
The parameter logonPasswordVerify is missing.
ECSecurityConstants.ERR_MISSING_NEWPASSWORDVERIFY (2070)
The parameter logonPassword and logonPasswordVerify do not match.
ECSecurityConstants.ERR_MISMATCH_PASSWORDS (2080)
The logged in user supplied an incorrect old password.
ECSecurityConstants.ERR_INVALID_OLDPASSWORD (2050)
The password length is too short.
ECSecurityConstants.ERR_MINIMUMLENGTH_PASSWORD (2200)
The number of allowed consecutive characters of this type is greater than the allowed maximum.
ECSecurityConstants.ERR_MAXCONSECUTIVECHAR_PASSWORD (2210)
The number of allowed instances of characters of this type is greater than the allowed maximum.
ECSecurityConstants.ERR_MAXINTANCECHAR_PASSWORD (2220)
The password does not contain the required minimum number of letters.
ECSecurityConstants.ERR_MINIMUMLETTERS_PASSWORD (2230)
The password does not contain the required minimum number of digits.
ECSecurityConstants.ERR_MINIMUMDIGITS_PASSWORD (2240)
The password cannot match the userid.
ECSecurityConstants.ERR_USERIDMATCH_PASSWORD (2250)
The password cannot be the same as the previous password.
ECSecurityConstants.ERR_REUSEOLD_PASSWORD (2260)
The user account is disabled.
ECSecurityConstants.ERR_DISABLED_ACCOUNT (2110)

The error handler is ECConstants.EC_ERROR_CODE.