I have a driver (SOAP) where the web service needs both old and new password to sucessfully change a user's passsword.

No problem, I thought - set the ECV dirxml.engine.use-password-event-values and I get old + new pw.

This works fine, except for the occasional time when the web service barfs temporarily and rejects a perfectly good request because it has decided that my session auth token has expired and must be renewed.

I have a rule that detects this and retries the event (including requetsing a session auth token) but the retried event lacks the old password.

Aside from temporarily stashing the old password somewhere else (which will always be less secure than the standard mechanism) does anyone have any ideas how to work around this?