C# Membership Provider - Reset Password Features - Email Confirmation And Password Change?
Jun 28, 2010
Does anyone has a solution (sample code) for the following features:
Create a randomGuid/Cryptographically strong random number Send a unique URL containing the random number to the user's email address When confirmed, the user is asked to change password
My provider is currently parametrized this way:
[code]....
The security issues with this type of procedure have been discussed here before.
I had been trying to solve this but there is a hidden key i wish someone point me to.
I had a simple membership database with users in first the Membership Provider configured for clear password to retrieve the original password .
Now a new requirement say that the password must be hashed and reset .
I configure the Membership password to hash , and Implemented the Reset Password Module.
My problem is as follow.
If the user is new registered user with the new configuration the password and the security answer is hashed.
also when I go and reset the password it continue to be hashed.
Now I thought that with new configuration if any previous user with clear text configuration , If he use the password Reset module , because my configuration now is hashed , I expected that the new password and security answer will be hashed . what happen is old user continue in clear text even if the configuration is hashed. so If I had new users everything is fine.
old users Membership Provider somehow know they had been stored in clear text and it keep change password and security answer in clear text . If I delete this user and create it , Membership Provider understand that everything will be hashed. I need to know how it know this , I need to migrate users not to delete and recreate users .
Also if there are no solution for that , I wish Microsoft Consider it in future cause it is a real user scenario, that can happen imagine a business system that related to membership user Id , deleting users and recreate them is not a solution .
Am using ASP.NET membership authentication in a small website and i just noticed some thing funny during testing. Am trying to enable user to change their login password any time they wish, i dragged a change password control to the form, i changed the password for my test account, but now all passwords are still working.
I can login with the old password as well as the new password with this particular test account. If i try with any other random characters as the new password, i cant successfully login (which OK). But if type the old password, am able to login, if i type the new password, am still able to login, am finding this very strange.
I'm looking for guidence on writing a custom password reset UI, but it must fit the Provider 'Pattern', or degrade silently to built-in defaults. E.g. my Reset Control must collect extra information, and perform differently to the standard Password Recovery Control. It must close as possible use the standard MembershipProvider interface for standard functions, and only use an extended interface for the non-standard stuff.I'd like some reading on issues such as, what must I ask the Membership Provider for, and what must I do myself. What must I tell the provider (service?) about what I do?
I am using membership control in my webapplication.On reseting password, i want control should generate password such that i can define the length of the password.
When a user that has their IE set to save passwords hits my "Reset Password" form, the first text box set with TextMode set to "Password" is populated with the users saved password. Understandable, this is not the affect I would like as this is their "old" password. I cannot set the text of a text box with mode set to "Password" (naturally). Does someone know how to suppress or clear this value when IE is saving passwords?
I have written a simple jQuery dialog box that will appear in an asp panel if the logged in user has not reset their password in the last 90 days. This is working great, however when the user types in their password and presses submit to insert the new password into the database, the parent page is posting back before the click event is fired on the user control.
Here is how it is set up:
default.aspx <asp:Panel ID="pnlTest" runat="server" Visible="false"> <div id="dialog" title="Password must be reset"> <cms:ResetPassword runat="server" ID="reset" />
[Code]....
Whenever I click the button to change the password, the default page is calling a postback and it is blanking out the text that was input to change the password, so when the click function gets called the strings come through as "" and it throws an error.
ser enters email addressafter submit, an email is sent to the user The email will include a link that will take the user to a reset password page.Now, how do I fetch user's ID based on the email address and encrypt it? Then what should link be? Like, what I want is fetch the User ID then encrypt it somehow so that the link doesn't contain the actual ID and that link will take the user to a page that will have textboxes to reset the password. I am just confused how to go about it.Also is this the secure way? To reset a password like this?
Do I need to make a Custom Membership Provider or is there another way?
I have a project using ASP.NET Forms Authentication and the Microsoft SQL Membership Provider. The website is DONE. I use this provider everywhere. (Register, Login, Forgot Password, etc...) Until now, my website users have not needed complex passwords. The users' passwords were really just pins. The user could select anything for a password in the past. I had almost no restrictions for this website because none of the data is private or personal. However I have received new requirements.
Here are the new password requirements:
Passwords must be at least 8 characters in length. Passwords must be created using 3 of the following 4 character types:
Uppercase Lowercase Numeric Punctuation
Do not use your name or User ID in the password. Do not use old passwords again later. Passwords must be changed at least every 60 days. Passwords may not contain your User ID or any part of your full name. Password history retention will prohibit use of the last 24 passwords. Passwords may be changed by users only once in any 6-day period.
I realize I am going to have to modify all of the following pages: Register, Login, Forgot Password, etc... fortunately I stopped using the default controls a long time ago.
My first thought was that I need to write a Custom Membership Provider. I don't know how to make the standard provider to do most of this. I could write code to do.
Do I modify the aspnet_membership table? Should I add my own table aspnet_something? Can the user profile table be used for this problem? Do I need my own MembershipUser class?
I am using Membership provider.. I integrated the aspnet member tables into my database.
I need the user to enter password on a data entry form and validate it against the membership tables.
How can I do this. This is the set up. I have few fields and user enters those fields and also enters the password, and submits the form. It is kind of like signature... i am looking for something like..
I am using a custom membership provider with a custom ValidateUser method. The ValidateUser sends and additional parameter to authenticate my users (Username, Password, and Dealer). I created a custom stored procedure for ValidateUser to call. I copied over all my users from another table and encrypted all the passwords in the aspnet_membership table using the code below. My question is, how do I take the password the user enters in the login form and validate that against what is in my aspnet_membership Here is the code I used to encrypt the passwords (not even sure this was the right way to encrypt. Please tell me if I did this wrong):
public static string EncodePasswordNow(string originalPassword) { Byte[] originalBytes;
I'm using a website as a frontend and all users are authenticated with the standard ASP.NET Membership-Provider. Passwords are saved "hashed" within a SQL-Database.Now I want to write a desktop-client with administrative functions. Among other things there should be a method to reset a users password. I can access the database with the saved membership-data, but how can I manually create the password-salt and -hash? Using the System.Web.Membership Namespace seems to be inappropriate so I need to know how to create the salt and hash of the new password manually.
I use access membership prvider and it works. but I am unable to recover passwork. It says that "" membership provider doesn't support to get and zero password." It gives me the error in turkish and I translated it. Something like that. I am using the below code;
I have converted the change password control to a template. It is inside an update panel. After changing the password the confirm button takes the user to the success step by updating the update panel. Then by clicking the OK button, I would like to reset the password changer to its initial state so that the user can change the password again. Right now I am not sure how this is done and the control simply remains at the second step, telling the user "password has been changed" . User can press OK. What must I write in the OK button click event to reset the password control to its original state?
URL...how we can sending formatted email now in my Login.aspx page i have Textbox that when users forget their password they should type their Username on the textbox and after that click on send button.I want when users click on send button their user name that they type in textbox be on the email that send to me .
How can I use Membership.GeneratePassword to return a password that ONLY contains alpha or numeric characters? The default method will only guarantee a minimum and not a maximum number of non alphanumeric passwords.
