Click here to Skip to main content
6,630,289 members and growing! (22,813 online)
Email Password   helpLost your password?
Web Development » ASP.NET » General     Intermediate

Password Recovery

By Emre Onyurt

Password recovery system
Windows, .NET, ASP.NET, SQL 2005, VS2005, DBA, Dev
Posted:24 Sep 2006
Views:61,282
Bookmarked:45 times
Unedited contribution
Announcements
Loading...
 
Search    
Advanced Search
Add to IE Search
printPrint   add Share
      Discuss Discuss   Broken Article?Report  
17 votes for this article.
Popularity: 4.89 Rating: 3.97 out of 5
1 vote, 5.9%
1
1 vote, 5.9%
2
1 vote, 5.9%
3
3 votes, 17.6%
4
11 votes, 64.7%
5

Introduction

Hello, I have been searching blogs and articles about ASP.NET password recovery systems for a while. Almost all resources about this topic suggest that standard password recovery control comes with Asp.Net 2.0. However password recovery control has some limitations. Of course it works without any problem, but some developers want more options. In this article we will talk about writing our own password recovery system. For example we don�t want to send password to user�s email address directly. We may want to send a link instead of a clean password for security reasons. This link redirects a user to a change password page without asking the old password.

As you know Asp.Net 2.0 password recovery control asks username first; then if the user name exists in membership database the user receives a clean password. If you are using hashed passwords in your membership database, retrieving an old password is impossible since passwords are one-way hashed. However if you make the following changes in web.config file;

Passwordformat=�hashed�
Passwordreset=�true�
Passwordretriaval=�false�

you can use standard password recovery control with hashed passwords. However, in this case when a user wants to recover the password, first the old password will be reset, then a random password will be generated and sent to user�s e-mail account. It will be a totally meaningless, hard to remember password so users will have to go to their account page to change their new password. To make it more secure, if a user forgets his/her password, sending a password change link to the user�s email account instead of a new password would be a better option.

I am going to skip steps like creating a mail body that includes a specific link and sending it to the user. These steps can be done in several ways. For example in password recovery page we can ask user to type e-mail address and with this email address we can grab the userid from membership database. With this user id we can create a link such as:http://www.nameofwebsite.com/passwordreset.aspx?userid=5e51d1fd-f8c8-431d-9b28-3db61e2dsfsfsfsfs0f30f and send it to user email.

After this step we are going to create password reset page. In this page we drag and drop:

  1. detailsview control
  2. sqldatasource control
  3. 2 textboxes
  4. A button

Our detailsview control will be invisible, because we want to use it to grab user name from userid. We are going to use the sqldatasource to bind detailsview to membership database. Our textboxes are for typing new password. We use two different textboxes because the second one is for re-typing new password. Our button is the �change password� button.

First I will start with aspx page then I am going to explain .cs (code-behind) file.

In .aspx page, we are going to create a detailsview control and make its visible property equals false. Drag and drop a sqldatasource and connect it to membership database. In the SELECT statement we select username and userid from users table. Set the Querystringparameter to userid.

Passwordreset.aspx;

<asp:DetailsView ID="DetailsView1" runat="server" AutoGenerateRows="False" 
     DataSourceID="SqlDataSource1" DefaultMode="Edit" Height="50px" 
     Width="125px" AutoGenerateInsertButton="True" 
     AutoGenerateEditButton="True" Visible="False">

<Fields>
   <asp:BoundField DataField="userid" HeaderText="UserId" 
        SortExpression="UserId" />
   <asp:TemplateField HeaderText="username" SortExpression="username">
     <EditItemTemplate>
        <asp:TextBox ID="TextBox1" runat="server" 
             Text='<%# Bind("username")%>'></asp:TextBox>
     </EditItemTemplate>
     <InsertItemTemplate>
        <asp:TextBox ID="TextBox1" runat="server" 
             Text='<%# Bind("username")%>'></asp:TextBox>
     </InsertItemTemplate>
     <ItemTemplate>
        <asp:Label ID="Label1" runat="server" 
             Text='<%# Bind("username")%>'></asp:Label>
     </ItemTemplate>
   </asp:TemplateField>
</Fields>

</asp:DetailsView>

<asp:SqlDataSource ID="SqlDataSource1" runat="server" 
     ConnectionString="<%$ ConnectionStrings:membership %>"
     SelectCommand=
    "SELECT [UserName], [UserId] FROM [vw_aspnet_Users] Where userid=@userid"
>
   <SelectParameters>
      <asp:QueryStringParameter Name="UserId" QueryStringField="UserId" /> 
   </SelectParameters>
</asp:SqlDataSource>
By this way, with a link that include userid, we can grab username for this userid. We need user name in order to make password changes in membership table.

In .cs file, we grab this username from detailsview control.

With this user name, we are going to reset old hashed password and insert new one into membership database.

PASSWORDRESET.ASPX.CS FILE

protected void Button1_Click(object sender, EventArgs e)

{
    if (TextBox2.Text == TextBox3.Text)
    {
        TextBox UserName1 = new TextBox();
        UserName1 = (TextBox)DetailsView1.FindControl("TextBox1");
        string un = UserName1.Text;
MembershipUser user = Membership.GetUser(un); string oldpswd = user.ResetPassword(); string newpass = TextBox2.Text; user.ChangePassword(oldpswd, newpass); Label2.Text = "Your Password has been changed"; } else { Label2.Text = "Retype your Password"; } Response.Redirect("login.aspx"); }
At the end of these steps we will have stored new password in Hashed format. By using Response.Redirect method ; Response.Redirect("login.aspx"); user will be redirected to login page.

License

This article has no explicit license attached to it but may contain usage terms in the article text or the download files themselves. If in doubt please contact the author via the discussion board below.

A list of licenses authors might use can be found here

About the Author

Emre Onyurt


Member
I am a master student in Information Management field. I also work as ASP.NET developer.
Occupation: Web Developer
Location: United States United States

Other popular ASP.NET articles:

Article Top
You must Sign In to use this message board.
FAQ FAQ 
 
Noise Tolerance  Layout  Per page   
 Msgs 1 to 13 of 13 (Total in Forum: 13) (Refresh)FirstPrevNext
GeneralSample code ? Pinmemberohcidnal12:24 28 Nov '07  
GeneralAsp.net Log on Pinmembervijayanithu9:12 26 Oct '07  
GeneralThanks !!! Pinmemberumaramiya1:04 16 Apr '07  
GeneralSample? PinmemberTheBigOnion211:33 29 Mar '07  
GeneralSecurity Issue Pinmemberdbaltas21:23 18 Feb '07  
GeneralA little enhancement Pinmemberdapoussin23:17 5 Nov '06  
GeneralI like that article :) PinmemberAsliYildiz5:18 27 Sep '06  
GeneralRe: I like that article :) PinmemberEmre Onyurt5:30 27 Sep '06  
GeneralRe: I like that article :) Pinmemberaynen46715:59 31 Oct '08  
GeneralTHANKS!! PinmemberSlowMotion6:50 25 Sep '06  
Generalgood job Pinmembersubai2:29 25 Sep '06  
Generalnice! Pinmembercbmdk23:37 24 Sep '06  
GeneralGreat Solution! PinmemberMr.Know12:04 24 Sep '06  

General General    News News    Question Question    Answer Answer    Joke Joke    Rant Rant    Admin Admin   

PermaLink | Privacy | Terms of Use
Last Updated: 24 Sep 2006
Editor:
Copyright 2006 by Emre Onyurt
Everything else Copyright © CodeProject, 1999-2009
Web18 | Advertise on the Code Project