|Applies To||RSA ClearTrust|
|Issue||RSA ClearTrust user challenged for credentials after changing password|
After authenticating, user is directed to password change application; after changing password, user is rechallenged even though user has already authenticated
|Cause||When a user is challenged to authenticate and receives a "password expired" response, they can be directed through a password changing mechanism. After successfully changing their password, they can be redirected to the original protected URI (see the solution regarding URI retention with password change custom code in RSA ClearTrust for more information), but in the normal case, the user will be rechallenged because they didn't authenticate successfully the first time.|
|Resolution||After successfully changing their password, there are 2 methods available for invisibly authenticating the user prior to redirecting them to their original URI:|
1. Using the runtime API, the password change code can authenticate the user and obtain the token, returning that to the customer as a CTSESSION cookie so that, on redirection to the retained URI, the agent accepts the user as an authenticated user
2. After successfully changing their password, the user can be redirected to the login page with their username and (new) password by POST method, identically to how their credentials would be submitted after entering them in the logon page. The user will be authenticated, and if URI retention is enabled, redirected. Note that the form parameters must be identical to what the logon form expects (which can be checked in the source code for the logon page), and if URI retention is handled by querystring, the retained URI must also be submitted as a querystring to the logon page.
|Legacy Article ID||a25448|