loading table of contents...

5.2.2.5. Password Reset

If users have forgotten their password, an email or some other type of notification is sent via the IBM WebSphere Commerce server. The message contains the newly generated password. The user can login on the store again and update the password in the profile settings.

The password reset is executed by a custom REST service handler PasswordResetHandler that has to be installed for the Commerce system. The update password method of the handler will reset the password for unauthorized users and update the password for authenticated users. Once the password is reset/updated, an email will be sent by the Commerce system. Ensure that an SMTP server is configured properly in the IBM WebSphere Administration Console for that. Also, the Administration Console allows inspecting the mail queue of pending mails (if the SMTP server has not been setup yet).

[Caution]Caution

The default password reset behavior differs from the default one that has been implemented for IBM's Aurora store. If unauthorized users reset their passwords, they can not login until the generated password has been updated to a new one. Every link in the store points to the update password form.

This behavior can not be disabled in the developer edition of the IBM WebSphere Commerce server, but should be disabled for the production environment: The default login flow that is configured in the XML file lc/lc-cae/src/main/resources/com/coremedia/livecontext/ es/webflow/com.coremedia.blueprint.elastic.social.cae.flows.Login.xml will try to log out users if they authenticate against the IBM WebSphere Commerce system with an expired password. This log out call will fail since the system assumes that the user has to be logged in until the password has been updated. On the CAE site, this will result in an inconsistent cookie state.