Improved OpenEMIS Core Password Renewal Rule
If you don't know what OpenEMIS core is, It is a sector-wide Open Source Education Management Information System (EMIS) that facilitates the collection, processing, and management of education information. OpenEMIS Core is a customizable web application that supports the day-to-day activities involved in managing a sector-wide education system. (https://www.openemis.org/)
Why should you reset the password regularly?
If you’ve worked a job that requires you to have login credentials, you’re probably familiar with the common “90-day rule” for passwords. The rule being: change your password every 90 days (or 45 days, depending on the workplace). It’s a security best practice that will keep your accounts and your organization secure from hackers and other unauthorized people.
The OpenEMIS core is written in CakePHP3 and there was no rule for automatic password renewal mechanism in the application. The only rule related to the password renewal process was the ‘First-time login password update rule’ (Which you update the password when you log in to the system for the first time).
After debugging the current system I came up with this workflow fo the new rule implementation.
In the database migration, I set the default value of the newly added column for each user record to 2019–12–01. After running the migration it was the time to update the functions on the PasswordBehaviour.php and the DashboardController.php.
Main Functionality Update
The handling of the database read and writes were done by the PasswordBehaviour.php. So when the user enters a correct password (Based on the currently available rules) the system will update the password column with a hashed password for better security. When that happens my timestamp should update to keep a track on password updates. Since the writing to the DB happens after the beforeSave method is called I updated the beforeSave function like this,
First I got the users table from the database using TableRegistry.
dsdsThen I set the timezone to Asia because the default time zone was the AWS timezone.
date_default_timezone_set('Asia/Colombo');After that, I wrote a DB query to update the particular user’s DB entry with the current time. (security_timeout is the newly added column)
$query = $Users->query();
try {
$query->update()
->set(['security_timeout' => new DateTime(date('Y-m-d h:i:s a', time()))])
->where(['id' => $entity->id])
->execute();
} catch (\Exception $e) {
error_log($e);
}So the above function will be called whenever a user updates the password. Next, the dashboard controller should be updated to do a new validation when a user logs into the system. The idea was to get the time diff between the security_timeout and the current time to verify if the result is greater than 90 days. Like the previous method first I retrieve the data record using Auth function to get a particular user’s data.
$user = $this->Auth->user();
$userData = TableRegistry::get("security_users")->get($user['id']);Then using DateTime, the result was converted to a DateTime type object to calculate the difference using diff function. After that, the total month difference was calculated.
try {
date_default_timezone_set('Asia/Colombo');
$start_date = new DateTime($userData->security_timeout->format('Y-m-d h:i:s a'));
$since_start = $start_date->diff(new DateTime(date('Y-m-d h:i:s a', time())));
$totMonths = $since_start->y *12;
$totMonths += $since_start->m;
} catch (\Exception $e) {
error_log($e);
}After a new condition was added to check the total months variable is greater than 3. If it returns true the password update UI will be prompted to the user.
if ((is_array($user) && array_key_exists('last_login', $user) && is_null($user['last_login'])) || ($totMonths >= 3))That was the walkthrough of the OpenEMIS Core Password Renewal Rule update process. From this, the security strength was increased in the system.
Thanks for the read. See you next time!
