Q. One time password, to administer tests over the web for students, or downloading files.
Since the http protocol is connectionless, each page requested represents an individual "login", so if you change the password on the first page (if this page is an ASP page), no other pages will be viewable.
You need to set the timeout on the username to be 30 minutes (or whatever) from when they login to the 1st page, and so give them a certain number of minutes to take the test. Your 1st page asp code should be careful not to allow resetting of the expiration date if they log back in after 10 minutes.
A. I am assuming you are using the internal database, but you can make this work with ODBC too.
User expiration and password expiration are really the same thing.
The user will exist even though expired.
Then ask them to enter their username, old password, new password. In the script that processes the form, check their details and if all checks out, set the new password as well as the new expiration date (if any).
If you have an example that does this already, let us know and we will include it in the samples for others.