Security Questions (v2025)

PHPMaker General Discussion (PHPMaker)
1

Passwords are always stored as plain text in the users table, even after password was changed by user
Password field is MySQL/VarChar(255)

2FA doesn’t work for Super Admin (Error: Two factor authentication verification failed)
Help mentions that “The Profile field under User Login Options must be set to store the user secret and backup codes”
This is set, but how should this apply to Super Admin, who’s not stored in the users table?

Is there a possibility to force a password change after a user logged in via login link?

2
  1. You should enable Migrate password algorithm.
  2. 2FA also works for super admin, the settings are stored in cookies.
  3. To force a password change, you may use AuthenticationSuccessEvent server event to set the user profile object’s setPasswordExpired() method. To check if the login is via is login link you may check, for example, RouteName() == "login_check" && $request->query->get("action") != "activate" (login link but not the user activation link).