CyberStore Documentation
Front-End Account Password and Login Security Updates

Change Password Storage from Encryption to Secure Salted Hash (#10627)

Shopper password storage has been updated to provide a higher level of protection. As a result passwords are not retrievable and must be reset either in the Console or by the shopper via the new Forgot My Password feature. 

Convert Password from Previous Version Format to New Format During Upgrade Installer (#11399)

When upgrading previous versions of CyberStore, the installation program will automatically handle converting passwords from the previous format. This process is processor intensive and will require planning for additional time during the upgrade. Depending on the number of accounts, plan for up to 1 hour of conversion time for every 5000 accounts in your CyberStore. Be aware that the installer may appear to be hung up but is simply processing the data and will complete the process when complete.

Details about the conversion process will be visible in the install.log file if needed. 

Reset Password Instead of Email Existing Password (#11400)

Front end account passwords can no longer be retrieved by Shoppers. Instead a new forgot password recovery feature has been built. The new feature will email the shopper's email address an email containing a verification code and link back to the site. Upon returning to the site from the email, the shopper submits the code to confirm the request and is then able to change their password. 

The password change request verification code remains valid for 30 minutes and then expires. 

Due to the new functionality, the CustomerFogotPWControl has been completely re-engineered so if you have customized your version, be sure to replace it and re-perform your customizations if desired. 

Update Verification Code and Password Request URL when Sending Password Info to Shopper from Console (#11529)

 

Update Default Wording for Forgot Password Email in COM_Cleanup (#11622)

With updates to the forgot password function, the "ForgotMyPassword" email template used requires updating to no longer send a password (which is technically impossible now) with a version that sends the appropriate reset password verification code and link. 

During new installs, the new format will be applied to the database by default. For upgraders, simply do the following:
  1. Visit the Setup > Email Manater screen
  2. Delete the existing ForgotMyPassword template
  3. Load any front-end page of your site
  4. Return to Setup > Email Manager and refresh the grid if needed and a new version of the ForgotMyPassword template will be visible
  5. Edit as desired (Note: be sure to change back to your desired Header options like the From address etc)
The following sample HTML for your forgot password template is provided:
<p>
     A password reset request was received for [email@domain.com] from [webaddress]. 
</p> 
<p>
     If you initiated this request please visit the <strong><a href="[changepasswordurl]">Password Retrieval Request Page</a></strong>
     to confirm the request using the verification code below.
     <blockquote><strong>Verification Code: [verificationcode]</strong></blockquote> 
</p> 
<p>
     Please note that the code above will expire 30 minutes from the time the request was made. 
</p> 
<p>
     This email was sent automatically by the [webaddress] Forgot Password Function. 
     <br />
     If you did not request this email, we recommend you change your account password at
     <br/>
     <i>[my account URL].</i> 
</p> 
This is an automated message, please do not reply.
<hr> ​
[global] 

See Also

Version 2.19 Maintenance Releases