Add a password reset feature to Halogen eAppraisal
One really important feature missing from Halogen eAppraisal is the ability for users to reset their own passwords.
Seems like such a basic feature but even their friendly support folks confirmed that there was no addon or plan to release the feature in a future version. Weird!
No matter though, let’s make our own.
Investigation
I spent untold amounts of time clawing through unfamiliar Java code. A occasional scrap was enough to forge my determination but nothing really made sense yet. Too many files, too many directories but maybe if I just kept trying…
A-ha!
Hidden deep within the lair of <Tomcat>\webapps\Halogen\WEB-INF\classes\com\halogensoftware\common\security\ is a file called ‘Utility.class’. Inside, a string that resembles the worst regular expression ever created.
^a`Z{b1Y}c2X[d3W]e4V|f5U\g6T:h7S;i8R”j9Q’k0P<l-O>m=N?n~M,o!L.p@K/q#Jr$Is%Ht^Gu&Fv*Ew(Dx)Cy_Bz+A
I was sure this string was used to encrypt the passwords stored in the database but I needed a way to confirm that so…
Using a test account I set the password to the number 1 which was encrypted as the letter Y. Password 11 became Y}. Password 111 became Y}c.
Ah, so simple!
If your password was the ^ symbol it would find it in the string above and then move right one space and choose the letter “a” as your encrypted password. If your password was ^^ then the the first encrypted character would be “a” again but the second one would shift two places to the right and store the ` symbol
Here are a few more example conversions.
- ^^^ becomes a`Z
- wT7w becomes (hi)
- A+z becomes ^^^
Notice that in the last example we’ve simply looped around once we hit the right side of the hash string.
Now that we know how it works let’s build our own utility in ASP that we can use to reset anyone’s password.
The Solution
Besides the obvious DSN string, you’ll want to carefully consider how you validate your users.
The setup I used at work talked to a Human Resources database and would validate no less than three pieces of information before even attempting a reset. I urge you dear reader to do the same.
sID = Request.Form("id")
sPassword = Request.Form("password")
Set oConn = Server.CreateObject("ADODB.Connection")
oConn.Open "DSN String for the Halogen eAppraisal Database"
Set oRS = Server.CreateObject("ADODB.Recordset")
oRS.Open "SELECT TOP 1 * FROM [view-user_info] WHERE username = '" & sID & "'", oConn, 0, 3 'adOpenForwardOnly, adLockOptimistic
If not oRS.EOF then
sKeyCode = "a`Z{b1Y}c2X[d3W]e4V|f5U\g6T:h7S;i8R""j9Q'k0P<l-O>m=N?n~M,o!L.p@K/q#Jr$Is%Ht^Gu&Fv*Ew(Dx)Cy_Bz+A"
sKeyCodeLength = Len(sKeyCode)
x = 1
sBadChar = 0
Do until x > Len(sPassword)
sChar = Mid(sPassword, x, 1)
If InStr(sKeyCode, sChar) then
sKeyCodePos = InStr(sKeyCode, sChar) + x
If sKeyCodePos > sKeyCodeLength then
'Need to loop around the beginning
Do until sKeyCodePos <= sKeyCodeLength
sKeyCodePos = sKeyCodePos - sKeyCodeLength
loop
End If
sEncodeChar = Mid(sKeyCode, sKeyCodePos, 1)
sEncodePassword = sEncodePassword + sEncodeChar
Else
'Could not find a character in sKeyCode
sBadChar = sBadChar + 1
End If
x = x + 1
loop
If sBadChar > 0 then
Response.Write "<p><strong>Unsupported characters were used to try to set the encrypted password. New password was not saved.</strong></p>"
Else
oRS("password") = sEncodePassword
oRS("password_change_date") = NULL
oRS.Update
Response.Write "<p>The password for your account " & sID & " has been reset.</p>"
End If
Else
Response.Write "<p><strong>A corresponding account for the user " & sID & " does not exist. Please contact support.</strong></p>"
End If
oRS.Close
oConn.Close
Set oRS = nothing
Set oConn = nothing
Questions welcome so feel free to comment below.
See ya later, space cowboy.