Password Recovery

Introduction

Hello, I have been searching blogs and articles about ASP.NET password recovery systems for a while. Almost all resources about this topic suggest that standard password recovery control comes with Asp.Net 2.0. However password recovery control has some limitations. Of course it works without any problem, but some developers want more options. In this article we will talk about writing our own password recovery system. For example we don�t want to send password to user�s email address directly. We may want to send a link instead of a clean password for security reasons. This link redirects a user to a change password page without asking the old password.

As you know Asp.Net 2.0 password recovery control asks username first; then if the user name exists in membership database the user receives a clean password. If you are using hashed passwords in your membership database, retrieving an old password is impossible since passwords are one-way hashed. However if you make the following changes in web.config file;

Passwordformat=�hashed�
Passwordreset=�true�
Passwordretriaval=�false�

you can use standard password recovery control with hashed passwords. However, in this case when a user wants to recover the password, first the old password will be reset, then a random password will be generated and sent to user�s e-mail account. It will be a totally meaningless, hard to remember password so users will have to go to their account page to change their new password. To make it more secure, if a user forgets his/her password, sending a password change link to the user�s email account instead of a new password would be a better option.

I am going to skip steps like creating a mail body that includes a specific link and sending it to the user. These steps can be done in several ways. For example in password recovery page we can ask user to type e-mail address and with this email address we can grab the userid from membership database. With this user id we can create a link such as:http://www.nameofwebsite.com/passwordreset.aspx?userid=5e51d1fd-f8c8-431d-9b28-3db61e2dsfsfsfsfs0f30f and send it to user email.

After this step we are going to create password reset page. In this page we drag and drop:

1. detailsview control
2. sqldatasource control
3. 2 textboxes
4. A button

Our detailsview control will be invisible, because we want to use it to grab user name from userid. We are going to use the sqldatasource to bind detailsview to membership database. Our textboxes are for typing new password. We use two different textboxes because the second one is for re-typing new password. Our button is the �change password� button.

First I will start with aspx page then I am going to explain .cs (code-behind) file.

In .aspx page, we are going to create a detailsview control and make its visible property equals false. Drag and drop a sqldatasource and connect it to membership database. In the SELECT statement we select username and userid from users table. Set the Querystringparameter to userid.

Passwordreset.aspx;

<asp:DetailsView ID="DetailsView1" runat="server" AutoGenerateRows="False" 
     DataSourceID="SqlDataSource1" DefaultMode="Edit" Height="50px" 
     Width="125px" AutoGenerateInsertButton="True" 
     AutoGenerateEditButton="True" Visible="False">

<Fields>
   <asp:BoundField DataField="userid" HeaderText="UserId" 
        SortExpression="UserId" />
   <asp:TemplateField HeaderText="username" SortExpression="username">
     <EditItemTemplate>
        <asp:TextBox ID="TextBox1" runat="server" 
             Text='<%# Bind("username")%>'></asp:TextBox>
     </EditItemTemplate>
     <InsertItemTemplate>
        <asp:TextBox ID="TextBox1" runat="server" 
             Text='<%# Bind("username")%>'></asp:TextBox>
     </InsertItemTemplate>
     <ItemTemplate>
        <asp:Label ID="Label1" runat="server" 
             Text='<%# Bind("username")%>'></asp:Label>
     </ItemTemplate>
   </asp:TemplateField>
</Fields>

</asp:DetailsView>

<asp:SqlDataSource ID="SqlDataSource1" runat="server" 
     ConnectionString="<%$ ConnectionStrings:membership %>"
     SelectCommand=
    "SELECT [UserName], [UserId] FROM [vw_aspnet_Users] Where userid=@userid"
>
   <SelectParameters>
      <asp:QueryStringParameter Name="UserId" QueryStringField="UserId" /> 
   </SelectParameters>
</asp:SqlDataSource>

By this way, with a link that include userid, we can grab username for this userid. We need user name in order to make password changes in membership table.

In .cs file, we grab this username from detailsview control.

With this user name, we are going to reset old hashed password and insert new one into membership database.

PASSWORDRESET.ASPX.CS FILE

protected void Button1_Click(object sender, EventArgs e)

{
    if (TextBox2.Text == TextBox3.Text)
    {
        TextBox UserName1 = new TextBox();
        UserName1 = (TextBox)DetailsView1.FindControl("TextBox1");
        string un = UserName1.Text;

        MembershipUser user = Membership.GetUser(un);
        string oldpswd = user.ResetPassword();
        string newpass = TextBox2.Text;

        user.ChangePassword(oldpswd, newpass);
        Label2.Text = "Your Password has been changed";
    }
    else
    {
        Label2.Text = "Retype your Password";
    }

    Response.Redirect("login.aspx");
}

At the end of these steps we will have stored new password in Hashed format. By using Response.Redirect method ; Response.Redirect("login.aspx"); user will be redirected to login page.

You must Sign In to use this message board.

FAQ    Noise Tolerance Very HighHighMediumLowVery Low   Layout Expand Posts & RepliesThread ViewNo JavascriptNo JS + Preview   Per page 102550

Msgs 1 to 13 of 13 (Total in Forum: 13) (Refresh) FirstPrevNext

Sample code ? ohcidnal 12:24 28 Nov '07   Does anyone have a sample to code to implement the sending of email to user with the link and enable the user to create a new password? Thanks a lot!!!!!!!!!! Sign In·View Thread·PermaLink 1.00/5 (1 vote) Asp.net Log on vijayanithu 9:12 26 Oct '07   I want how to create username password and go to next page - Pls send codings. Backend - MS access vijay Sign In·View Thread·PermaLink 3.67/5 (2 votes) Thanks !!! umaramiya 1:04 16 Apr '07   This code snippet helped me a lot Uma Ramiya Sign In·View Thread·PermaLink 1.00/5 (1 vote) Sample? TheBigOnion2 11:33 29 Mar '07   Hi, I cannot get this to work. Does anyone have a working sample? Thanks, Michael underscore poz at hotmail dot com Sign In·View Thread·PermaLink 1.50/5 (2 votes) Security Issue dbaltas 21:23 18 Feb '07   Creating a Url with the userid directly like this http://www.nameofwebsite.com/passwordreset.aspx?userid=5e51d1fd-f8c8-431d-9b28-3db61e2dsfsfsfsfs0f30f means that I can change the password for any user as long as i know the userid. The userid can be encrypted in the url sent and decrypted in the passwordreset page. dbaltas Sign In·View Thread·PermaLink 2.63/5 (4 votes) A little enhancement dapoussin 23:17 5 Nov '06   First of all, thank you for this article, it's very clear and well written I would add a little enhancement for a more secured solution : a datetime in membership sql table to make the password recovery expire. Cheers Laurent Sign In·View Thread·PermaLink 2.50/5 (3 votes) I like that article :) AsliYildiz 5:18 27 Sep '06   what a talented programmer you are !!! Sign In·View Thread·PermaLink 2.00/5 (1 vote) Re: I like that article :) Emre Onyurt 5:30 27 Sep '06   Thanks!! What a great reader you are Sign In·View Thread·PermaLink 1.00/5 (1 vote) Re: I like that article :) aynen467 15:59 31 Oct '08   whatta gr8 brother and sister Sign In·View Thread·PermaLink THANKS!! SlowMotion 6:50 25 Sep '06   Great idea, I have been checking for password options recently, You re the best! Sign In·View Thread·PermaLink good job subai 2:29 25 Sep '06   i think it is a good idea , is professional do the same thing? I Wish the Life Had CTRL-Z Sign In·View Thread·PermaLink nice! cbmdk 23:37 24 Sep '06   way better than the built in!!! why didn't i think of that! /cbm Sign In·View Thread·PermaLink Great Solution! Mr.Know 12:04 24 Sep '06   That was what I been looking for! Just what I needed! Sign In·View Thread·PermaLink 2.00/5 (7 votes)

Last Visit: 11:31 21 Nov '09     Last Update: 11:31 21 Nov '09 1