Force members to rotate their passwords on a regular basis, right in your EE site!

INSTALLATION

1. Copy entire `rotate` folder to your `system/user/addons` folder.
2. On your EE backend, navigate to `Developer > Addons` (yoursite.com/admin.php?/cp/addons).
3. Scroll to `Third Party Add-Ons`.
4. Find `Rotate` and click `Install`.
5. Add your settings, and enjoy!

SETTINGS

Control Panel

Navigate to `Developer > Addons > Rotate` to configure the add-on. The following settings are available:

• Active: Enable or disable password rotation enforcement. When inactive, no members will be forced to reset.
• Number of Days: The number of days before a member is forced to reset their password. Default: `90`.
• Number of Previous Passwords: The number of previous passwords tracked per member. Members cannot reuse any of these passwords when resetting. Setting this higher ensures more unique passwords over time. Default: `3`.
• Redirect URL: The URL members are redirected to when a password reset is required. Leave empty to use the default CP password change page (`members/profile/auth`).

How It Works

On Login

When a member logs in, Rotate checks their password history:

1. If no history exists yet, one is created with the current password and date. The member is allowed through.
2. If a history exists and the password has not changed, Rotate checks whether the configured number of days has elapsed. If so, the member is redirected to the password reset page.
3. If a history exists and the password has changed since the last login, Rotate verifies that the new password was not previously used. If it was reused, the member is redirected to reset again. If it is unique, the timer resets and the member is allowed through.

On Every Page Load

Rotate also enforces password expiration on every CP page load via the `sessions_end` hook. This prevents members from navigating away from the reset page without changing their password. Members are always allowed access to `members/profile`, `login`, and `logout` pages.

If a member changes their password and then navigates to another page, Rotate detects the change and allows them through.

Password Reuse Detection

Password reuse can only be checked during login, when the plaintext password is available. Rotate uses `password_verify()` against stored bcrypt hashes to determine if a password was previously used.

CLI Commands

rotate:force-all

Forces all members to reset their password on their next login.

php eecli.php rotate:force-all

This command creates (or updates) a password history record for every member and backdates the `last_updated` timestamp so that every member's password appears expired. On their next login, each member will be redirected to the password reset page.

Running this command multiple times is safe. Existing records are updated rather than duplicated.

TERMS OF SERVICE

All tripleNERDscore add-ons comes with free 30 day support period beginning after the inital purchase. If the reported issue is cleary an issue with tripleNERDscore add-ons, we will attempt to fix the issue within a timely manor, free of charge to the customer.

Support is only provided for add-ons installed in official releases of ExpressionEngine. This does not include forks or individually maintained ExpressionEngine repositories.

tripleNERDscore reserves the right to suspend support at any time and ask the customer to pay an additional $50 per hour of support in the occurance of any scenario noted below. Fees will be invoiced and payable by credit card.

Plainly said, tripleNERDscore reserves the right to ask for compensation for time spent diagnosing what is clear or suspected conficts with other 3rd party add-ons, or if the issue relates to other 3rd party add-ons and requires excessive time and effort to investigate. If after diagnosis it is determined that it is not a conflict with an add-on but an issue with tripleNERDscore add-ons, then no extra fees will be required of the customer. In many cases bugs reported after the free 30 day support period will still be addressed, free of charge, if tripleNERDscore can replicate the issue in local development environments.

SUPPORT

We want to make sure you have what you need on this. Email [email protected] for help.