I'm using the ASP.NET 4.0 MembershipProvider to control access to one of my websites. One of its facilities is the asp:PasswordRecovery control. A user is sent a password reminder after entering their username. My problem is that this email also includes
the username, which is not desirable from a security point of view.
How do I change the content of that email, which is currently being generated from within MembershipProvider rather than my own coding?
You mean without using the control features found in the documentation? Most of the source is available so you can have a look at https://referencesource.microsoft.com/ for ASP.NET 4.x code.
You'll likely find it is handled by the control itself rather than by using the underlying membership which is pretty basic if I remember (and quite a bit outdated).
Hi,
You mean without using the control features found in the documentation? Most of the source is available so you can have a look at https://referencesource.microsoft.com/ for ASP.NET 4.x code.
You'll likely find it is handled by the control itself rather than by using the underlying membership which is pretty basic if I remember (and quite a bit outdated).
Hi Patrice,
Your link takes me to a page that has the heading .NET Framework 4.8 and a search for .NET 4.0 doesn't seem to get me very far. The following link seems more likely to be useful, but I'm
struggling to see how to exploit this on my own Web Form. Please note that I am a part-time, unpaid and self-taught ASP.NET programmer. My knowledge is seldom more than skin deep, so I am probably in need of a bit more hand holding on this.
I am aware that ASP.NET Identity has replaced MembershipProvider as the preferred solution, but it appears to solve problems I don't have, so it has never seemed a priority to migrate to that solution, especially when my available time is rather limited.
EDIT: It looks like I need to use the SendingMail event to specify some subproperty of the MailDefinition class, but I have not yet found a subproperty that seems relevant to my requirements.
void PasswordRecovery1_SendingMail(object sender, MailMessageEventArgs e)
{
e.Message.IsBodyHtml = false;
e.Message.Subject = "New password on Web site.";
// According to the doc you have a MailMessageEventArgs.Message which is the generated MailMessage so you could likely use e.Message.Message.Body="My own custom message"; // Use other properties if needed to generate the message you want
}
AFAIK it is not handled at all at the membership provider level (in case you tried already and wanted a provider level solution).
I don't suggest to use ASP.NET identity right away. It is just a quick note about something you could consider later.
void PasswordRecovery1_SendingMail(object sender, MailMessageEventArgs e)
{
e.Message.IsBodyHtml = false;
e.Message.Subject = "New password on Web site.";
// According to the doc you have a MailMessageEventArgs.Message which is the generated MailMessage so you could likely use
e.Message.Message.Body="My own custom message"; // Use other properties if needed to generate the message you want
}
Just before you made your last post, I had tried using exactly that solution, though I wrote it in VB.NET and used
e.Message.Body = "My message" (I note that you used e.Message.Message.Body, but that just creates an error for me). Unfortunately, a test of this code via Local Host did not replace the normal contents of the password reminder
email.
Even If I manage to fix that, I am left wondering how I could reference the retrieved password in the email body.
EDIT: I have now succeeded in replacing the body of the password reminder email with some sample text and am now searching again for a way to reference the password.
Check against what you are doing usually with VB.NET to call this kind of event.
Else I would have to try to see what happens and if I get the same problem on my side.
You may not have seen the edit I made to my previous post, as it was made at about the same time as you made your last post. I can now change the body of the password retrieval email, but I have not yet found a way to reference the password in that email.
Problem now resolved. I created a text file called PasswordRecovery.txt containing my preferred wording for the email body, including the placeholder
<%Password%>.
I then added the following line to the HTML. When the email is sent it replaces the placeholder with the actual password. You could also use use the placeholder
<%UserName%>, though I chose not to.
Glad to know the problem has been resolved, you can mark the posts which help solved the problem as the answer so that it could help people who met the same problem.
Member
102 Points
811 Posts
How do I remove username from MembershipProvider password recovery email?
Feb 05, 2020 11:45 AM|haggis999|LINK
I'm using the ASP.NET 4.0 MembershipProvider to control access to one of my websites. One of its facilities is the asp:PasswordRecovery control. A user is sent a password reminder after entering their username. My problem is that this email also includes the username, which is not desirable from a security point of view.
How do I change the content of that email, which is currently being generated from within MembershipProvider rather than my own coding?
All-Star
48570 Points
18081 Posts
Re: How do I remove username from MembershipProvider password recovery email?
Feb 05, 2020 12:33 PM|PatriceSc|LINK
Hi,
You mean without using the control features found in the documentation? Most of the source is available so you can have a look at https://referencesource.microsoft.com/ for ASP.NET 4.x code.
You'll likely find it is handled by the control itself rather than by using the underlying membership which is pretty basic if I remember (and quite a bit outdated).
Member
102 Points
811 Posts
Re: How do I remove username from MembershipProvider password recovery email?
Feb 05, 2020 01:41 PM|haggis999|LINK
Hi Patrice,
Your link takes me to a page that has the heading .NET Framework 4.8 and a search for .NET 4.0 doesn't seem to get me very far. The following link seems more likely to be useful, but I'm struggling to see how to exploit this on my own Web Form. Please note that I am a part-time, unpaid and self-taught ASP.NET programmer. My knowledge is seldom more than skin deep, so I am probably in need of a bit more hand holding on this.
https://docs.microsoft.com/en-us/dotnet/api/system.web.ui.webcontrols.passwordrecovery.maildefinition?view=netframework-4.0
I am aware that ASP.NET Identity has replaced MembershipProvider as the preferred solution, but it appears to solve problems I don't have, so it has never seemed a priority to migrate to that solution, especially when my available time is rather limited.
EDIT: It looks like I need to use the SendingMail event to specify some subproperty of the MailDefinition class, but I have not yet found a subproperty that seems relevant to my requirements.
All-Star
48570 Points
18081 Posts
Re: How do I remove username from MembershipProvider password recovery email?
Feb 05, 2020 02:13 PM|PatriceSc|LINK
For now it seems the simplest option would be :
void PasswordRecovery1_SendingMail(object sender, MailMessageEventArgs e) { e.Message.IsBodyHtml = false; e.Message.Subject = "New password on Web site."; // According to the doc you have a MailMessageEventArgs.Message which is the generated MailMessage so you could likely usee.Message.Message.Body="My own custom message"; // Use other properties if needed to generate the message you want }
AFAIK it is not handled at all at the membership provider level (in case you tried already and wanted a provider level solution).
I don't suggest to use ASP.NET identity right away. It is just a quick note about something you could consider later.
Member
102 Points
811 Posts
Re: How do I remove username from MembershipProvider password recovery email?
Feb 05, 2020 02:26 PM|haggis999|LINK
Just before you made your last post, I had tried using exactly that solution, though I wrote it in VB.NET and used e.Message.Body = "My message" (I note that you used e.Message.Message.Body, but that just creates an error for me). Unfortunately, a test of this code via Local Host did not replace the normal contents of the password reminder email.
Even If I manage to fix that, I am left wondering how I could reference the retrieved password in the email body.
EDIT: I have now succeeded in replacing the body of the password reminder email with some sample text and am now searching again for a way to reference the password.
All-Star
48570 Points
18081 Posts
Re: How do I remove username from MembershipProvider password recovery email?
Feb 05, 2020 03:13 PM|PatriceSc|LINK
Not sure why I typed e.Message.Message. This is e.Message.Body as you have done...
Try perhaps to use https://docs.microsoft.com/en-us/visualstudio/debugger/using-breakpoints?view=vs-2019 to make 100% sure this code is called (or changing the subject does work ???)
If not, you may have to add OnSendingMail="PasswordRecovery1_SendingMail" in the markup for your ASPX control or use maybe https://docs.microsoft.com/en-us/dotnet/visual-basic/language-reference/statements/handles-clause
Check against what you are doing usually with VB.NET to call this kind of event.
Else I would have to try to see what happens and if I get the same problem on my side.
Member
102 Points
811 Posts
Re: How do I remove username from MembershipProvider password recovery email?
Feb 05, 2020 04:48 PM|haggis999|LINK
You may not have seen the edit I made to my previous post, as it was made at about the same time as you made your last post. I can now change the body of the password retrieval email, but I have not yet found a way to reference the password in that email.
Member
102 Points
811 Posts
Re: How do I remove username from MembershipProvider password recovery email?
Feb 05, 2020 05:48 PM|haggis999|LINK
Problem now resolved. I created a text file called PasswordRecovery.txt containing my preferred wording for the email body, including the placeholder <%Password%>.
I then added the following line to the HTML. When the email is sent it replaces the placeholder with the actual password. You could also use use the placeholder <%UserName%>, though I chose not to.
It was the following article that guided me to this solution.
https://docs.microsoft.com/en-us/aspnet/web-forms/overview/older-versions-security/admin/recovering-and-changing-passwords-vb
Contributor
3140 Points
983 Posts
Re: How do I remove username from MembershipProvider password recovery email?
Feb 06, 2020 03:47 AM|Yang Shen|LINK
Hi haggis999,
Glad to know the problem has been resolved, you can mark the posts which help solved the problem as the answer so that it could help people who met the same problem.
Best Regard,
Yang Shen