Support for expired passwords
CREATE USER 'foo'@'%' IDENTIFIED BY 'foobar';
ALTER USER 'foo'@'%' PASSWORD EXPIRE;
And then the users tries to login with HeidiSQL, but get's an error message that HeidiSQL doesn't support expired passwords.
Please make it possible to login so the user can set a password.
I guess in such cases the user should get some prompt, not the main window, and the ability to set a password, or?
If disconnect_on_expired_password is disabled or the client has the MYSQL_OPT_CAN_HANDLE_EXPIRED_PASSWORDS flag set then the user is put into an sandbox environment. Then the application can't do anything except an SET PASSWORD statement.
So when HeidiSQL will send this flag nothing else should be needed. However some connection initialization statments may fail.
I've tested this with a server with disconnect_on_expired_password disabled and then I get this error:
"SQL Error (1820): You must SET PASSWORD before executing this statement."
So it looks like there are initialization statments which are ran by HeidiSQL. I couldn't find an option to disable the initialization statements.
The initialization commands from HeidiSQL:
SET NAMES utf8mb4;
The show status is the one that results in an error.
Note that in 5.7 password expiration might become more common as it introductes password lifetimes. (e.g. set lifetime to 90 days and MySQL will set the account as expired).
So what I think should be done:
- Add the flag to indicate the client can handle expired passwords
- Don't issue SHOW STATUS or continue if it gives an error.
- Let the user execute SET PASSWORD or provide a prompt for it.
mysql> select version(); ERROR 1820 (HY000): You must SET PASSWORD before executing this statement mysql> set password = password('newpassword'); Query OK, 0 rows affected (0.00 sec) mysql> select version(); +------------------+ | version() | +------------------+ | 5.6.22-debug-log | +------------------+ 1 row in set (0.00 sec)
This is what Workbench does:
You might also want to change the saved password for the connection.
I have the CLIENT_CAN_HANDLE_EXPIRED_PASSWORDS constant set in mysql_real_connect(). Further I have a libmysql.dll from the MariaDB 10.1.8 release which can handle expired passwords and the mentioned constant.
Now, after connecting through HeidiSQL, I only get a disconnect after the first init statements. If I don't want to run into this
SQL Error (1820): You must SET PASSWORD before executing this statement
... then how can I detect an expired password? I guess I have to run into the error to see the error code 1820, then trigger a "reset password" dialog?
r5094 now adds a change-password dialog like in the screenshot, when the very first query of a connection returns error 1820.
This implementation only works on servers with disabled
This looks very good. Thanks for implementing this!
Please login to leave a reply, or register at first.