Login - Force password change on first login

Is there a way that Webuser must change their passwort, when they login the first time?

Revo 2.7.2
Login 1.9.7

1 Like

Here’s an extra that looks useful, but might be outdated


In Modx its easy enough to guide a user through a password change (just have login page send to pw change page), but it would not require that to happen and the user could click out of it.

To force the change, I think you will need to tell Modx that the pw must be changed. Right now that’s on user creation, so I am thinking the best way is to put a token in your create user routine, we could assign a flag to the user upon creation, if this is the only function you need.

Then, you could have a checker in your template that would replace content with reset pw page if the flag is set, for all users, then they couldn’t run away and would have to reset to remove the flag…oh yeah and reset must remove the flag obvs

Will think about this.

Hi @mediengaarage,

I am also interested about this, as I don’t know how to do that.


Easiest would be writing a plugin and attach it to onWebLogin and onModxInit.
You check if it is the first login, and if it is then redirect user to password change page.
To check if it is the first login you could define user attribute “first_login” = 1 on registration, and change it only if password has been changed and activated (afair its useExtended option in Register snippet)
Not too much of coding… and the user can’t click out.

I’ve done something similar but for manager, where password expires after X days, password has to meet certain criteria (impossible with default modx validation) and the session expires after X minutes of inactivity (keyboard, ajax etc). User is able to login but can’t do anything (connectors included) unless password is changed and activated. It is certainly doable without hacking core, and works just fine.

1 Like

I’ve just undertaken this very task so figured I’d share my code here.

This is to use with the “Login” extra for front end use as opposed to Manager side use.

My solution specifically uses a snippet to check the ‘comments’ field of the User record for a statement indicating the password has been updated and if not, you can use the TPL to push people to the password update form. I’ve then added a hook to the password update form to set that string when the password has been updated.

Note that this solution assumes you’re not using the comments field for anything else. If you are you’ll need to find another place to store/retrieve this information.

Snippet: isPasswordReset
Returns 1 for ‘user has changed password’ and 0 for ‘user has never changed password’

// Get current user and get their profile
$currentUser = $modx->getUser();
if($currentUser) {
    $profile = $currentUser->getOne('Profile');
if($profile) {
    $comment = $profile->get('comment');
    // Check for the existence of 'password reset' in the profile comments field
    // Return 0 if the password hasn't been updated and return 1 if it has
    if(strpos($comment,"Password reset") === false) {
        return 0;
    } else {
        return 1;

This snippet can be used thus:


Then in your [[!ChangePassword]] snippet call, include the option &postHooks=clearPasswordWarning`

Snippet: clearPasswordWarning
Sets the contents of the comments field to include a comment that the user has updated their password and when (in human readable form) so you can see that if you ever want to

// Get current user and get their profile
$currentUser = $modx->getUser();
if($currentUser) {
    $profile = $currentUser->getOne('Profile');
// Set the comment that their password has been updated
$profile->set('comment','Password reset: ' . date('r'));