Configuring password resets for Xperience administration

Copy to clipboard

If editors or other administration interface users forget their password, they may reset it, provided they have access to the email address specified for their account.

Note

Resetting of passwords is not possible for external users (for example Active Directory users created using Mixed-mode Windows authentication).

When submitting a password reset request, users must type in their email address. The request affects only the user account with the corresponding email address. If the entered email address does not correspond to any registered user, the system does not send the email.

Password recovery emails are sent from the address specified in the Send password emails from setting in Settings -> Security & Membership -> Passwords.

The sign in page of the administration interface, contains a Forgotten password link default. You can hide the link by adding the following key to the /configuration/appSettings section of the Xperience administration project’s (CMSApp) web.config file:




<add key="CMSShowForgottenPassLink" value="false" />

Password reset functionality

Password reset requires email approval from the affected user. Users who submit a password recovery request through the sign-in form first receive an email containing a link.

The main security benefits of this approach are:

  • Passwords are not directly included in the email, so they cannot be read by potential attackers.
  • The reset links are only valid temporarily. The time period during which the links are valid can be specified in hours via the Reset password interval setting.
  • After someone uses a password reset link, it becomes invalid and cannot be accessed again.
Note: Certain types of web filtering software may interfere with password reset links. If an automatic tool accesses the password reset page before it is opened by the actual user’s client, the password recovery request will be invalid.

When users click the link in the email, they are redirected to the ~/CMSModules/Membership/CMSPages/ResetPassword.aspx system page, where they can set a new password. The URL of the link contains a token in its query string that automatically identifies the user whose password should be changed.

Recovering administrator password

If you happen to lose the password for your administrator account and cannot access the administration interface, you can use one of the following approaches to recover it:

  • Reset password via a web.config key – insert the CMSAdminEmergencyReset key to the appSettings section of your web.config. For example:

    


  <add key="CMSAdminEmergencyReset" value="admin;password;true" />
    • admin – this value specifies the user name of the new account.
    • password – this value specifies the password for the new account – you should change it to your own value.
    • The third parameter is optional and indicates whether you want to create a new user with the Global administrator privilege level.
    • The key will be automatically deleted after you gain access to the user interface.

  • Clear password in the database – find your user record in the CMS_User table and clear the contents of the UserPassword column. Then sign in to the administration interface with a blank password and set a new password.

Password recovery email templates

The emails sent to users during the password retrieval process are based on email templates, which can be found in the Email templates application. The following password‑related templates are available:

  • Membership - Change password request– sent as a reply to password recovery requests.
  • Membership - Password reset confirmation – sent to the user upon a successful password reset. Also sent when an administrator manually sets a new password for a user.
  • Membership - Changed password – sent to users if a new password is generated for their account by an administrator.

These templates can be edited as needed, so you may fully customize the content of the emails. You can enter context macros to include dynamic values in the template text:

Template

Context-specific macros

Change password request

  • {% ResetPasswordURL %} – resolves into the URL of the page where the user can change their password.
  • {% CancelURL %} – returns the URL of a page that will cancel the request when opened. This can be used to create links that users can click in situations where someone else requested a new password for their user account (either intentionally or accidentally).
  • {% User %} – allows you to access the properties of the user who sent the change password request, for example: {% User.UserName %}
  • {% IP %} returns the IP address of the device the change password request was issued from. This can be used to notify users of the origin of unwanted password reset requests.

Password reset confirmation

  • Common user properties, such as {% UserName %}, {% FirstName %}, {% Email %}, etc.

Changed password

  • {% Password %} – the current (new) password of the given user.
  • Common user properties, such as {% UserName %}, {% FirstName %}, {% Email %}, etc.

In addition to the special macros listed above, you can also use all other standard macro expressions in the templates. See the Macro expressions chapter for more information about macro expressions in Xperience.