Click here to Skip to main content
15,867,975 members
Articles / Web Development / ASP.NET

Password Recovery

Rate me:
Please Sign up or sign in to vote.
4.22/5 (24 votes)
24 Sep 2006CPOL3 min read 228.4K   63   21
A password recovery system.

Introduction

I have been searching blogs and articles for ASP.NET password recovery systems for a while. Almost all resources about this topic suggest that a standard password recovery control comes with ASP.NET 2.0. However, the password recovery control has some limitations. Of course it works without any problems, but some developers want more options. In this article, we will talk about writing our own password recovery system. For example, we don't want to send password to a user's email address directly. We may want to send a link instead of a clean password, for security reasons. This link redirects a user to a change password page without asking the old password.

As you know, the ASP.NET 2.0 password recovery control asks for the username first; then if the user name exists in the membership database, the user receives a clean password. If you are using hashed passwords in your membership database, retrieving an old password is impossible since passwords are one-way hashed. However, if you make the following changes in the web.config file:

Passwordformat="hashed"
Passwordreset="true"
Passwordretriaval="false"

you can use the standard password recovery control with hashed passwords. However, in this case, when a user wants to recover the password, first the old password will be reset, and then a random password will be generated and sent to the user's e-mail account. It will be a totally meaningless, hard to remember password, so users will have to go to their account page to change their new password. To make it more secure, if a user forgets his/her password, sending a password change link to the user's email account instead of a new password would be a better option.

I am going to skip steps like creating a mail body that includes a specific link and sending it to the user. These steps can be done in several ways. For example, in the password recovery page, we can ask a user to type the e-mail address, and with this email address, we can grab the user ID from the membership database. With this user ID, we can create a link such as http://www.nameofwebsite.com/passwordreset.aspx?userid=5e51d1fd-f8c8-431d-9b28-3db61e2dsfsfsfsfs0f30f and send it to the user's email.

After this step, we are going to create a password reset page. In this page, we drag and drop:

  • A DetailsView control
  • A SqlDataSource control
  • Two TextBoxes
  • A Button

Our DetailsView control will be invisible, because we want to use it to grab the user name from the user ID. We are going to use the SqlDataSource to bind DetailsView to the membership database. Our textboxes are for typing the new password. We use two different textboxes because the second one is for re-typing the new password. Our button is the 'Change Password' button.

First, I will start with the ASPX page, and then I will explain the .cs (code-behind) file.

In the .aspx page, we are going to create a DetailsView control and set its Visible property to False. Drag and drop a SqlDataSource and connect it to the membership database. In the SELECT statement, we select the username and user ID from the Users table. Set the QueryStringParameter to userid.

Passwordreset.aspx
ASP.NET
<asp:DetailsView ID="DetailsView1" runat="server" AutoGenerateRows="False" 
     DataSourceID="SqlDataSource1" DefaultMode="Edit" Height="50px" 
     Width="125px" AutoGenerateInsertButton="True" 
     AutoGenerateEditButton="True" Visible="False">

<Fields>
   <asp:BoundField DataField="userid" HeaderText="UserId" 
        SortExpression="UserId" />
   <asp:TemplateField HeaderText="username" SortExpression="username">
     <EditItemTemplate>
        <asp:TextBox ID="TextBox1" runat="server" 
             Text='<%# Bind("username")%>'></asp:TextBox>
     </EditItemTemplate>
     <InsertItemTemplate>
        <asp:TextBox ID="TextBox1" runat="server" 
             Text='<%# Bind("username")%>'></asp:TextBox>
     </InsertItemTemplate>
     <ItemTemplate>
        <asp:Label ID="Label1" runat="server" 
             Text='<%# Bind("username")%>'></asp:Label>
     </ItemTemplate>
   </asp:TemplateField>
</Fields>

</asp:DetailsView>

<asp:SqlDataSource ID="SqlDataSource1" runat="server" 
     ConnectionString="<%$ ConnectionStrings:membership %>"
     SelectCommand=
    "SELECT [UserName], [UserId] FROM [vw_aspnet_Users] Where userid=@userid"
>
   <SelectParameters>
      <asp:QueryStringParameter Name="UserId" QueryStringField="UserId" /> 
   </SelectParameters>
</asp:SqlDataSource>

This way, with a link that includes the user ID, we can grab the username for the user ID. We need the user name in order to make the password changes in the membership table.

In the .cs file, we grab this user name from the DetailsView control. With this user name, we are going to reset the old hashed password and insert a new one into the membership database.

Passwordreset.aspx.cs
C#
protected void Button1_Click(object sender, EventArgs e)
{
    if (TextBox2.Text == TextBox3.Text)
    {
        TextBox UserName1 = new TextBox();
        UserName1 = (TextBox)DetailsView1.FindControl("TextBox1");
        string un = UserName1.Text;

        MembershipUser user = Membership.GetUser(un);
        string oldpswd = user.ResetPassword();
        string newpass = TextBox2.Text;

        user.ChangePassword(oldpswd, newpass);
        Label2.Text = "Your Password has been changed";
    }
    else
    {
        Label2.Text = "Retype your Password";
    }

    Response.Redirect("login.aspx");
}

At the end of these steps, we will have stored the new password in hashed format. By using Response.Redirect("login.aspx");, the user will be redirected to the login page.

License

This article, along with any associated source code and files, is licensed under The Code Project Open License (CPOL)


Written By
Web Developer
United States United States
I am a master student in Information Management field. I also work as ASP.NET developer.

Comments and Discussions

 
AnswerGreat Article thanks for saving me time looking elsewhere Pin
MarcBrewer13-May-14 4:13
MarcBrewer13-May-14 4:13 
Question[My vote of 1] No code, no stars Pin
msdevtech23-Apr-14 5:59
msdevtech23-Apr-14 5:59 
GeneralMy vote of 1 Pin
Shubham Choudhary1-Mar-14 2:30
Shubham Choudhary1-Mar-14 2:30 
QuestionDATABASE Pin
shivasharmaarya7-Mar-12 5:38
shivasharmaarya7-Mar-12 5:38 
GeneralMy vote of 1 Pin
peymanshams7-Dec-10 22:54
peymanshams7-Dec-10 22:54 
GeneralMy vote of 1 Pin
djpitagora17-Feb-10 22:17
djpitagora17-Feb-10 22:17 
QuestionSample code ? Pin
ohcidnal28-Nov-07 11:24
ohcidnal28-Nov-07 11:24 
GeneralAsp.net Log on Pin
vijayanithu26-Oct-07 8:12
vijayanithu26-Oct-07 8:12 
GeneralThanks !!! Pin
umaramiya16-Apr-07 0:04
umaramiya16-Apr-07 0:04 
QuestionSample? Pin
TheBigOnion229-Mar-07 10:33
TheBigOnion229-Mar-07 10:33 
GeneralSecurity Issue Pin
dbaltas18-Feb-07 20:23
dbaltas18-Feb-07 20:23 
GeneralRe: Security Issue Pin
Member 292023918-Jun-10 15:55
Member 292023918-Jun-10 15:55 
GeneralA little enhancement Pin
dapoussin5-Nov-06 22:17
dapoussin5-Nov-06 22:17 
First of all, thank you for this article, it's very clear and well written Smile | :)
I would add a little enhancement for a more secured solution : a datetime in membership sql table to make the password recovery expire.

Cheers
Laurent
GeneralI like that article :) Pin
AsliYildiz27-Sep-06 4:18
AsliYildiz27-Sep-06 4:18 
GeneralRe: I like that article :) Pin
Emre Onyurt27-Sep-06 4:30
Emre Onyurt27-Sep-06 4:30 
GeneralRe: I like that article :) Pin
aynen46731-Oct-08 14:59
aynen46731-Oct-08 14:59 
GeneralTHANKS!! Pin
SlowMotion25-Sep-06 5:50
SlowMotion25-Sep-06 5:50 
Generalgood job Pin
subai25-Sep-06 1:29
subai25-Sep-06 1:29 
Generalnice! Pin
cbmdk24-Sep-06 22:37
cbmdk24-Sep-06 22:37 
GeneralGreat Solution! Pin
Mr.Know24-Sep-06 11:04
Mr.Know24-Sep-06 11:04 

General General    News News    Suggestion Suggestion    Question Question    Bug Bug    Answer Answer    Joke Joke    Praise Praise    Rant Rant    Admin Admin   

Use Ctrl+Left/Right to switch messages, Ctrl+Up/Down to switch threads, Ctrl+Shift+Left/Right to switch pages.