Force password change

Is there a way to force a customer to change password? I will be preloading a cs-cart site with all the users from the inhouse data. I was hoping to set a temp password and force user to change upon first use.

I have not found any thing like this.

Thanks for any help


Assuming you will be importing directly into the DB, I would try setting password_change_timestamp to timestamp + 1 and see if that forces the user to change their password at the next login.

I was not planning to import directly to DB, but using cs-cart import feature. I see there is no timestamp type of field. Not knowing how cs-cart has all the tables setup I am not real comfortable importing there. I will go poke around the tables to see if I see something about timestamp.

I would also need to be able to force password change for new customers.

Please explain further as you have time.



Well, I’m not aware of a customer import…

Sure there is a customer(user) import. Adminstration tab / import data / users (on right side).

Her are the import fields allowed



User type


User group IDs



First name

Last name




Web site

Tax exempt

Registration date


Billing: title

Billing: first name

Billing: last name

Billing: address

Billing: address (line 2)

Billing: city

Billing: state

Billing: country

Billing: zipcode

Shipping: title

Shipping: first name

Shipping: last name

Shipping: address

Shipping: address (line 2)

Shipping: city

Shipping: state

Shipping: country

Shipping: zipcode

Extra fields

I keep forgetting that they tuck some of the categories on the right for some things. I didn’t see it and obviously I’ve never used it. I don’t see a matching field in the import fields that would match up against the password_change_timestamp field.

After you import, I would inspect the table and see what that field has for a value. If it’s zero, then I would run a quick sql that would set it to timestamp+1.

For users, it’s basically a join of 2 tables “users” and “user_profiles”. The timestamp is only in users. It is effectively the create time. So my assumption is that the password_change_timestamp field is looked at when a user logs in. If it’s zero then no password change is required, otherwise if time() > password_change_timestamp then I expect the system requires the user to change their password. So if it is initally set to timestamp + 1 then anytime after creation, the user will be prompted to change their password.

I have NOT verified this logic with code, but this is pretty common way to do things.

Well I test out the theory of setting the field “password_change_timestamp” to +1

no help there. I went to the user and change the password, then back to the DB and there is a new timestamp of 1299696706 . so i belive they just have this field log the time/date the password may have been changed. The initial setting is “0” for when a user first sets up account. I guess this may be a job for the cs-cart team to create this functionality.

I have several other jobs for them such as a new export order method so we can easily transfer them to our inhouse order form (created in excel).

Then we also need a quick order form like has. Our wholsale customers know our products and need a faster way to enter orders. searching and picking throught the website is really not speedy.

And need to figure out how to pull Company name out of DB and place above user name in several locations through out site. Also in the admin side. We know Company names better than the indinviual user at a company.

So if any one has some thoughts on these items I would love to here them.


Hi Dave,

I know this is an old thread, but I recently completed a project that required this functionality on a 2.1.4 installation. The following code extends the stock “Force administrators to change password on the first login” security setting to also apply to customers. With the mod in place, any customer account with a “password_change_timestamp” of 0 (in the “cscart_users” table) will see a persistent alert upon login requesting that they change their password. Once the password is successfully changed, the alert goes away.

First, we need a new language variable for the alert. In the language admin, create the following variable:

variable name = error_password_must_change

variable value = For security purposes, you must change your password.

Next, we need to edit /controllers/customer/init.php

At about line 90, insert the following code:

// Enforce password change on customers
if (!empty($auth['user_id']) && !fn_check_permissions(CONTROLLER, MODE, 'trusted_controllers') && $_SERVER['REQUEST_METHOD'] != 'POST') {
// PCI DSS Compliance
$auth['password_change_timestamp'] = !empty($auth['password_change_timestamp']) ? $auth['password_change_timestamp'] : 0;
$time_diff = TIME - $auth['password_change_timestamp'];
$expire = Registry::get('settings.Security.admin_password_expiration_period') * SECONDS_IN_DAY;
if (!isset($auth['first_expire_check'])) {
$auth['first_expire_check'] = true;
// We do not need to change the timestamp if this is an Ajax requests
if (!defined('AJAX_REQUEST')) {
$_SESSION['auth_timestamp'] = !isset($_SESSION['auth_timestamp']) ? 0 : ++$_SESSION['auth_timestamp'];

// Make user change the password if:
// - password has expired
// - this is the first admin's login and change_admin_password_on_first_login is enabled
// - this is the first vendor admin's login
if (($auth['password_change_timestamp'] <= 1 && ((Registry::get('settings.Security.change_admin_password_on_first_login') == 'Y') || (!empty($auth['company_id']) && empty($auth['password_change_timestamp'])))) || ($expire && $time_diff >= $expire)) {
$_SESSION['auth']['forced_password_change'] = true;

if ($auth['first_expire_check']) {
fn_set_notification('E', fn_get_lang_var('notice'), str_replace('[link]', fn_url('profiles.update', 'C'), fn_get_lang_var('error_password_must_change')), "S", 'password_must_change');
} else {
$auth['first_expire_check'] = false;
// Enforce password change on customers

Next, we edit /core/fn.users.php

At about line 1005 (after “PCI DSS Compliance”) insert the following code:

// Enforce password change on customers
if ($user_data['user_type'] == 'C') {

$msg = array();
// Check password length
$min_length = Registry::get('settings.Security.min_admin_password_length');
if (strlen($user_data['password1']) < $min_length || strlen($user_data['password2']) < $min_length) {
$valid_passwords = false;
$msg[] = str_replace("[number]", $min_length, fn_get_lang_var('error_password_min_symbols'));

// Check password content
if (Registry::get('settings.Security.admin_passwords_must_contain_mix') == 'Y') {
$tmp_result = preg_match('/\d+/', $user_data['password1']) && preg_match('/\D+/', $user_data['password1']) && preg_match('/\d+/', $user_data['password2']) && preg_match('/\D+/', $user_data['password2']);
if (!$tmp_result) {
$valid_passwords = false;
$msg[] = fn_get_lang_var('error_password_content');

if ($msg) {
fn_set_notification('E', fn_get_lang_var('error'), implode('
', $msg));

// Check last 4 passwords
if (!empty($user_id)) {
$prev_passwords = !empty($current_user_data['last_passwords']) ? explode(',', $current_user_data['last_passwords']) : array();

if (!empty($_SESSION['auth']['forced_password_change'])) {
// if forced password change - new password can't be equal to current password.
$prev_passwords[] = $current_user_data['password'];

if (in_array(md5($user_data['password1']), $prev_passwords) || in_array(md5($user_data['password2']), $prev_passwords)) {
$valid_passwords = false;
fn_set_notification('E', fn_get_lang_var('error'), fn_get_lang_var('error_password_was_used'));
} else {
if (count($prev_passwords) >= 5) {
$user_data['last_passwords'] = implode(',', $prev_passwords);
} // Enforce password change on customers

Finally, in this same file after “$user_data['password_change_timestamp'] = $_SESSION['auth']['password_change_timestamp'] = TIME;” (about line 1060), insert the following code:

fn_delete_notification('password_must_change'); // Enforce password change on customers

Good luck,