Security :: Password Recovery Reveals Valid For User Ids?
Jan 4, 2011
A question has been raised concerning password recovery revealing valid user ids. Stage 1 of the password recovery asks for a userid and when progressing to stage 2 will display an error message 'Invalid user id'. In theory this would allow valid user id'sto be identified.Is there a setting we are missing? Something that would allow the user id and question to be asked, then a message saying the 'User/Question combination is invalid'.
I am a newbie and using Visual Web Developer 2008 Express Edition developing a website with some SQL database and a membership folder.
The membership folder security was set via Website/ASP.NET Configuration and with Permission Deny for Anonymous users, and a user id and password was created.
However when running the website and login with the created userid and password, it failed to log in with error message "Your login attempt was not successful. Please try again." I suspect that the system could not find the ASPNETDB.MDF even though it is in the App_Data folder.
I have separately developed another website with Membership and User Login by following the example in ASP.NET Walkthrough in Learn Web Devbelopment, and it works ok.
I am getting an error incase user submits incorect security question's answer. I gave text in 'QuestionFailureText'. But its not working.
Below is the error getting. ' Security Exception Description:The application attempted to perform an operation not allowed by the security policy. To grant this application the required permission please contact your system administrator or change the application's trust level in the configuration file.
Exception Details: System.Security.SecurityException: The source was not found, but some or all event logs could not be searched. Inaccessible logs: Security.
Source Error:
[Code]....
Source File: c:WindowsMicrosoft.NETFramework64v2.0.50727Temporary ASP.NET Filespng.webe16ed3ec284df543App_Web_rvfjstqa.5.cs Line: 0 Stack Trace:
I have the following code. I simply want to select the security question and answer from the DB and do something if the result is true.
This is my code:-
[Code]....
This code always returns the result of "Invalid User Credentials", so this means it does not recognize the values from the DB. When i put something in that SHOULD match i still get the same. I dont get an error message but the logic here is to select security question and answer where the question is equal to the dropdown box and the answer is equal to the textbox. If there is a match then do something..
But this does not work..
You can see what i mean here:-
[URL]
If you select "What street did you grow up in?" from the dropdown and then put in "deeplish" in the security answer, the result should be "**EXISTS".
3) After all this, when the test user enters the correct answer to the security question, nothing happens. I don't even receive the SuccessTemplate message--much less the test email with the password.
Is the problem that the correct answer to the security question is somehow not really being registered? Is the problem server-related? What I could I be doing wrong?
I am using password recovery control to recover the forget password and it throws me an error message at smtp.send(mm) step in aspx.cs fileHere is the error message i received "SMTP server requires a secure connection or the client was not authenticated. The server response was 5.5.1. Authentication required"
I don't want to reinvent the wheel with the password recovery control but I do want to customize the email message sent to the user. I have the following code but when I use this, I'm getting an error that states that the system is not configured to retrieve passwords.
I think this is due to the fact that out-of-the-box, the membership system is not configured retrieve password due to password encryption. Then how do I customize "ONLY" the email sent -- with the tem password -- without getting into complete customization of the password recovery control?
I doing sign up page now. Inside my sign up page, i also have forgot password table. Now the problem is, can i display my <successTemplate> out of <passwordrecovery>? Because i tried to display normal successful label failed.
I am using Password Recovery Control and cannot get this to work.
Here is the settings I have. I tried ports like 25, 587, 254,
[Code]....
I get errors like
A connection attempt failed because the connected party did not properly respond after a period of time, or established connection failed because connected host has failed to respond
OR sometimes...
An existing connection was forcibly closed by the remote host
How do I set up an automatic password recovery feature? (This is an internet application using forms authentication.)
I am trying to set up the common senario where when a user who has forgotten his password, clicks a button to request I send him a new password. I then open his browser's default email client (that is no problem, that part I already have coded and it is working fine.) The user then clicks a button to send me his email. Now comes the problem. How do I detect that he has done that?
Am I approaching this problem correctly? Should I be requiring the user to send me an email in order to have his password reset? Or should I just have him fill in textboxes giving me his username & password? Wouldn't this allow a malicious user to abuse the system?
Doing password recovery, after a user enters their user name a verification page appears. The page seems to appear from out of nowhere as I did not create it.I would like to have controll over it and reformat it.PS: I have a number of small issues like this with Login. Is there a complete running sample somewhere that shows these things. C# code
I have a problem....my password recovery control is not going into Question Template section ....It was working fine for a couple of days before but for some weird reason it stopped working.....Whenever i click the submit button it directly goes and calls the PasswordRecovery1_SendingMail function(it doesn't ask any password recovery question)
I'm using vs2008, asp.net3.5, c#. In the Password Recovery control, there is only user name at the UsernameTemplate. How can I , or can I, add an additional field for user to also enter their SSN? How do I verify this myself if Password Recovery cannot do the verification for me. I mean, where, like when the submit button is click? And then how do I cancel the submit for PR if tax id is not valid?
I am a beginner of asp.net..I currently have a login page with forgot password link button on the bottom of the screen. I am also using forms authentication to prevent an unauthorized user from accessing the other pages. The authentication seems to be working fine except for one thing. It prevents the user from accessing the password recovery page once the user click on the link button. How do I allow all users access to the login/password pages and also prevent them from viewing the other pages if they are not authenticated?The code below is to prevent from other anonymous view other pages without access. But i got no idea on how to allow them to access password recovery page...
<authentication mode="Forms"> <forms loginUrl="/Presentation/Display/Login.aspx" name=".ASPNETAUTH" protection="All" path="/" timeout="120" cookieless="UseDeviceProfile" slidingExpiration="true"/> </authentication> <!-- This section denies access to all files in this application except for those that you have not explicitly specified by using another setting. --> <authorization> <deny users="?"/> </authorization>
i am using password recovery control. but i have one difficulty that when user click on the "Forgot Password" link he will redirect to enter "UserName" view of password recovery template. and when user enter "User Name" and click submit button he will redirect to the "Question" view of the Password recovery control and then user click on the "Cancel" button. but when user again click on the "Forgot Password" link the "Question" view is displayed instead of the "UserName" view. i m not able to reset Password control to "UserName" view.
I use access membership prvider and it works. but I am unable to recover passwork. It says that "" membership provider doesn't support to get and zero password." It gives me the error in turkish and I translated it. Something like that. I am using the below code;
once user answers security question and clicks submit that you can then re direct them to a new page and display their password on screen? rather than send an email?
I want get code for how to stop sending mail when email format is wrong in password recovery control and getting error message and also how to getting error message, means how to stop that.