Knowledgebase: Miva Merchant FAQ
How To: Force Your Customers To Reset Their Account Password
Posted by , Last modified by Wayne Smith on 30 April 2014 07:36 AM

The below instructions will allow you to set up a method for forcing all of your customers to reset their passwords. This would be employed as a security precaution in the event of a potential encryption compromise, such as the OpenSSL bug "Heartbleed" which was discovered in April of 2014.



This will work for stores running Empresa Engine version 5.18 or higher, and Miva Merchant Production Release 8 Update 12 or higher. Note that this will require editing the template code on several pages. These edits are low-risk but if you feel uncomfortable with editing code in your store then we advise you to seek help from a developer. If you feel you've made a mistake at any point in the process you can use the built-in Versions dropdown below each section of template code to select a previous working version of the template, then click Recall to bring up that version, and finally click Update to revert the page back to a date+time before the changes were made.



Step 1 – Click Utilities in your admin's lefthand menu and verify that the Custom Fields tab exists at the top of this screen. If it does not, check the box next to it in the list and click Update. Click the Custom Fields tab and then on the New Field button in the upper right. Create a Custom Customer Field so that we can build a method for the software to determine if a customer has already reset their password or not. These are the settings you'll need (the Additional Information field is optional):

Password Reset Custom Customer Field


Step 2 – Click Pages, and then the Items tab, and find the customfields item in the list. Click Edit to the right of it, and then click the Pages tab. Above the row of checkboxes on the left, click the check mark symbol with a plus sign next to it to select all pages, then scroll down and click Update. Now add the code below to your Global Header which will force customers who have not already reset their password to the Forgot Password Screen (FPWD) Note: If you upgraded from an older version of Miva, there is a chance your store is not using this page. In this case you may need to style it to match the look and feel of your website.

<mvt:item name="customfields" param="Read_Customer_Login(g.customer:login,'password_reset',g.password_reset)" />

<mvt:if expr="g.password_reset NE 'yes' AND g.basket:cust_id GT 0">

<mvt:assign name="g.redirect" value="'true'" />

<mvt:if expr="g.Screen EQ 'FPWD' OR g.Action EQ 'EMPW' OR g.Action EQ 'CSTR' OR g.Action EQ 'ICST'">

<mvt:assign name="g.redirect" value="'false'" />



<mvt:if expr="g.redirect EQ 'true'">

<mvt:eval expr="miva_output_header( 'Location', g.secure_sessionurl $ 'Screen=FPWD&Reset=1&Store_Code=' $ g.Store_Code )" />


Step 3 - Add a message to the Forgot Password Page “FPWD” telling users why you are forcing them to reset their passwords.


 Heartbleed Message on FPWD


You can use the following code to make the message only appear for customers being forced to reset their password and not for those who simply forgot theirs:

<mvt:if expr="g.Reset EQ '1'">

  <span style="font-size:24px;font-weight:bold;color:#F00;">Due to the heartbleed bug, out of precaution we are forcing customers to reset their passwords.</span>



Step 4 – When the customer puts in their email address they will get an email with a link to generate a temporary password. That link will take them to the ACRT page. Since the customer may still already be logged in, you'll want to modify the Login Link on the ACRT page so that the customer is logged out when they click it.

Add this to the end of the login link on the ACRT page:


The full link should look like this:


This will log the user out so they can re-login using their temporary password.


Step 5 – The last step will be to flag the customer's account so that the software knows they have reset their password and will not force them to do so again. We will do the same for brand new customers. Add this code to the header of the ACRT page:


<mvt:if expr="NOT ISNULL g.Customer_Temporary_Password AND NOT ISNULL g.basket:cust_id">

<mvt:item name="customfields" param="Write_Customer_Login( g.customer:login, 'password_reset', 'yes' )" />



And add this code to the header of the ACED page:

<mvt:if expr="g.Action EQ 'ICST'">

<mvt:item name="customfields" param="Write_Customer_Login( g.customer:login, 'password_reset', 'yes' )" />




Got stuck?

If you require further assistance, please e-mail with a link to both this article and to your store, and a description of your problem. 

(7 vote(s))
This article was helpful
This article was not helpful

Help Desk Software by Kayako