MySQL 8.0.39
Source Code Documentation
|
Since MySQL 5.6.7, a MySQL account can be expired.
If a account is expired, the session is in a restricted mode which only permits SET PASSWORD = .. and similar SET commands. Other statements will fail with an error like this:
Not all clients can properly deal with that error. So on the protocol side exists a safeguard CLIENT_CAN_HANDLE_EXPIRED_PASSWORDS capability flag exists to prevent clients from entering this "sandbox" mode. Only clients that can handle this sandbox mode should report CLIENT_CAN_HANDLE_EXPIRED_PASSWORDS on. Usually this means all interactive clients and all applications that got adjusted to handle the relevant SQL error.
If a client is not setting that capability and it tries to login with an account that has an expired password, the server will return an ERR_Packet for the Connection Phase or the COM_CHANGE_USER request.
The idea is to block any activity until the password is reset.