The Cart Blog

Sunday, February 26, 2012

Disabling the forced Admin password change in Zen Cart 1.5.0

Filed under: That Software Guy,Zen Cart — Tags: — thatsoftwareguy @ 10:11 am

*** Warning: This change will violate the PCI status of your cart.  You should only do this on test carts on your own PC or on carts which do not require PCI certification. ***

One of the features which is required for Zen Cart PCI compliance is periodic password changes.  This can be a nuisance on test carts and carts on your local PC.  Here’s how to turn it off.

a) To disable forced 90 day password changes, edit

admin/login.php

and change

define('ADMIN_PASSWORD_EXPIRES_INTERVAL', strtotime('- 90 day'));

to

define('ADMIN_PASSWORD_EXPIRES_INTERVAL', strtotime('- 36500 day'));

(Note that the above change means you won’t have to change passwords for 100 years.  To require an annual password change, use the value 365 instead.)

b) To disable the check against the last 3 passwords, edit

admin/includes/functions/admin_access.php
and change zen_check_for_password_problems() so that the first line is
return FALSE;

2 Comments »

  1. Thanks for tip, did the jp in 5 minutes.
    Zen Cart is a good cart but just goes too far with PCI compliance.
    Full PCI not kills small businesses but greatly lessens customers’ usability.
    Cheers.

    Comment by Paul — Thursday, October 11, 2012 @ 5:34 am

  2. This method of disabling the check against previous passwords also disables the checks for minimum length and strength of password.

    Better to read down a few lines in admin_access.php and comment out ( using /*…*/ the code that checks against previous passwords. In other words,

    /*
    $sql = “SELECT admin_pass, prev_pass1, prev_pass2, prev_pass3 FROM ” . TABLE_ADMIN . ”

    (code performing checks is here…)

    }
    }
    }
    */
    return $error;
    }

    Comment by Robert — Monday, September 30, 2013 @ 4:32 pm

RSS feed for comments on this post. TrackBack URL

Leave a comment

Powered by WordPress