Last post Sep 14, 2017 01:47 PM by march11
Jul 10, 2017 03:30 PM|carlakawill|LINK
What is the preferred method for securely recovering a user password? The password recovery control seems very insecure because it emails the password to the user. The only way i can think of is to send an email containing a link to the password reset page
which has some sort of encrypted query string containing parameterr which i store in the database with an expiry time/date to compare with.
Any suggestions much appreciated.
Jul 10, 2017 03:32 PM|march11|LINK
This is the most recent and Microsoft recommended method for password recovery...
Jul 12, 2017 05:42 AM|priyalwalpita|LINK
You can use Microsoft's standard way as March11 sugessted to implement your solution. It is better if you consider following thigs as well when you implement this.
Jul 12, 2017 02:20 PM|march11|LINK
The identity model will not send an email if the address does not exist in the repository. It says an email has been sent if the address was found in the database.
If it is not there the user will never receive the reset.
Aug 14, 2017 09:39 AM|carlakawill|LINK
Thank you for your reply. This would be perfect however i should have mentioned that i am developing on .net 4.0 and still using web forms so i cant use that functionality just yet. Do you know how i could use the password recovery control to send a link
instead of a new password? I understand the theory behind it just not how to do it.
Aug 14, 2017 12:28 PM|PatriceSc|LINK
AFAIK it is not supported out of the box by the old Membership system and password recovery control you are using.
to implement that on top of what you are using. Few things could be better written :
- use an actual date and parameters to transmit values to your SQL database (or EF if already using it)
- the missing RetrieveByRecordId method likely uses both the Id and the current date/time (so that expired requests are not retrieved). If a request is "consumed" it should be likely also immediately expired or deleted
- the transaction is likely useless
but it should help as starting point (you could also model this based on as ASP.NET identity to ease a possible later transition)
Aug 14, 2017 01:49 PM|march11|LINK
Yes, I understand, i have a site that is still web forms as well and I have been reviewing the new security model for migration which is why I had that link handy to answer your question. I also use web forms to send the email reset link, well account activation
link. I send a temp password for reset purposes which forces a password change on first login after its use. Additionally, its only active for a short time.
Let me see if I can find some code to help you along...
You may wish to open a new thread for this purpose though.
Aug 14, 2017 01:52 PM|march11|LINK
This is pretty much how I do it...
Protected Sub CreateUserWizard1_SendingMail(ByVal sender As Object, ByVal e As System.Web.UI.WebControls.MailMessageEventArgs) Handles CreateUserWizard1.SendingMail
Dim userInfo As MembershipUser = Membership.GetUser(CreateUserWizard1.UserName)
Dim oMyObject As New sendSSLemail
'Construct the verification URL
Dim verifyUrl As String = Request.Url.GetLeftPart(UriPartial.Authority) & Page.ResolveUrl("~/Verify.aspx?ID=" & userInfo.ProviderUserKey.ToString())
Dim htmlFile = "newUserEmail.htm"
Dim objStreamReader As StreamReader
Dim strMessageBody As String
' Read body of email from a file:
objStreamReader = File.OpenText(Server.MapPath("~/EmailTempFile/" & htmlFile))
strMessageBody = objStreamReader.ReadToEnd()
e.Message.Body = strMessageBody
'Replace <%VerifyUrl%> placeholder with verifyUrl value
e.Message.Body = e.Message.Body.Replace("<%VerifyUrl%>", verifyUrl)
Dim toAdd As String = userInfo.Email
oMyObject.SSL(, , e.Message.Body, toAdd, "Add User Account Info")
e.Cancel = True
Sep 11, 2017 08:46 AM|carlakawill|LINK
OK so in the end i made my own password recovery model. Basically the user is asked for their username/email which then sends an email to their registered account with a link containing a GUID (query-string) which is saved in the database with an expiry
date-time. When the user activates the link its compared and if matched they are asked a further security question which if successful they can reset the password. Not too difficult to implement really but has made me seriously consider upgrading to the latest
.net version and start using MVC. Also while the out of the box controls are good in ASP they are limited in features and lack of alternative configuration.
Thanks to all that replied.
Sep 14, 2017 01:47 PM|march11|LINK
Glad you got it solved, appreciate the feedback.
Note, although its an allowed capability, its typically frowned upon on this site when you award yourself As the ANSWER without a complete solution. Typically all of the feedback and input from the community is commonly what got you headed in the direction
for a solution and those key pieces can also be awarded for the input. You can award more than one answer.
Thanks for considering this feedback.