Click here to Skip to main content
13,804,051 members
Click here to Skip to main content
Add your own
alternative version

Tagged as


32 bookmarked
Posted 6 Dec 2009
Licenced CPOL

Improved ASP.NET Password Recovery

, 6 Dec 2009
Rate this:
Please Sign up or sign in to vote.
This page will show you how to make an XHTML 1.1 strict password recovery form that will prompt for a username and email before continuing.


The ASP.NET built in password recovery tool is pretty cool. With a few exceptions:

  1. It doesn't validate
  2. It only requires a username to continue the process, not a username/email match
  3. It sends a very basic email to whoever is recovering their password

This article will go over the process to customize the ASP.NET password recovery tool, and make it do the following things:

  1. Validate as XHTML 1.1
  2. Require a username/email combination in order to reset
  3. Send a customized email to the user whose password is being reset


Anyone wishing to do this will need to be comfortable customizing ASP.NET controls. While this process isn't complicated, if you're new to ASP.NET, it may be a little confusing to you.

Using the code

First and foremost, you'll need to enable password retrieval in web.config. This will look like this:

 <membership defaultProvider="CustomizedProvider">
        <clear />
        <add name="CustomizedProvider" 










           requiresQuestionAndAnswer="true" />

Note that the only attributes that must be set to the above values are "enablePasswordReset" and requiresQuestionAndAnswer.

Second, ensure the following section is also in your web.config:

            <network defaultCredentials="false" 

               host="" port="YOURPORT" 


               password="YourPassword" />

This will allow your password recovery box to send emails.

Now for the password recovery control.

You'll notice that we have a literal named "PersonName". My web application stores the first and last names of registered users. I wanted to fill the second page of this form with their real name, as opposed to their username, which is the default.

<asp:PasswordRecovery OnVerifyingUser="validateUserEmail" 

      SuccessText="Your password was successfully reset and emailed to you."

      QuestionFailureText="Incorrect answer. Please try again." 

      runat="server" ID="PWRecovery" 

      UserNameFailureText="Username not found.">
    <MailDefinition IsBodyHtml="true" BodyFileName="email.txt" 


           Subject="Password Reset" 

        <p>The steps below will allow you to have 
           a new password sent to the registered email address.</p>
                <asp:TextBox ID="Username" runat="server" />
                <asp:TextBox ValidationGroup="PWRecovery" 

                   runat="server" ID="EmailAddressTB">
                <asp:Button ID="submit" 





                   Text="Submit" />
                <p class="Error"><asp:Literal ID="ErrorLiteral" 

        <asp:Literal runat="server" ID="personname" />,
            You must answer your recovery question 
            in order to have a new email sent to you.
                <asp:Literal runat="server" ID="Question" />
                <asp:TextBox runat="server" ID="Answer" />
                <asp:Button runat="server" ID="submit" 

                  Text="Submit" CommandName="submit" />
                <p class="Error">
                    <asp:Literal ID="FailureText" runat="server">

The code-behind for this file is relatively simple, with only a validation event.

You may have noticed that I created a cookie during the validation event. My web application stores a person's first and last name as a profile attribute, "FullName". I wanted this form to recognize them by name instead of by a username, and creating a cookie was a relatively easy way to do it.

using System;
using System.Collections.Generic;
using System.Linq;
using System.Web;
using System.Web.UI;
using System.Web.UI.WebControls;
using System.Web.Security;

public partial class retrievepw : System.Web.UI.Page
    protected void Page_Load(object sender, EventArgs e)
        if (IsPostBack)
            Literal personname = 
            personname.Text = Request.Cookies["usernameCookie"].Value;
    protected void validateUserEmail(object sender, LoginCancelEventArgs e)
        TextBox EmailAddressTB = 
    Literal ErrorLiteral = 
    MembershipUser mu = Membership.GetUser(PWRecovery.UserName);
    if (mu != null) // The username exists
            if (mu.Email.Equals(EmailAddressTB.Text)) // Their email matches
                ProfileCommon newProfile = Profile.GetProfile(PWRecovery.UserName);
                HttpCookie appCookie = new HttpCookie("usernameCookie");
                appCookie.Value = newProfile.FullName;
                appCookie.Expires = DateTime.Now.AddMinutes(3);
                e.Cancel = true;
                ErrorLiteral.Text = "Your username and password do not match";
            e.Cancel = true;
            ErrorLiteral.Text = "No such user found.";

Emails for the ASP.NET password recovery are sent using MailDefinition, which is correctly defined above. You may have noticed the "email.txt" value that was supplied. This corresponds to a .txt file on the web server.

This file's contents are below:

<p>You are receiving this email on behalf of YOUR WEBSITE 
          because you have requested a new password.</p>
<p>Your new password is <%Password%></p>
<p>We suggest that you login immediately and change your password.</p>
<p>Thanks,<br/>Your Website Team</p>

This email can use two variables from the form: <%Username%> and <%Password%>. You may use either as the occasion calls.

That's it! A password recovery box that will send a custom email, validate, and require a little more rigorous of an authentication step!


  • 12/6/2009 - Posted.


This article, along with any associated source code and files, is licensed under The Code Project Open License (CPOL)


About the Author

Web Developer Missouri State University
United States United States
I am a Computer Science student and web application programmer for Missouri State University. I have been doing web development for several years, and two years professionally.

You may also be interested in...

Comments and Discussions

GeneralNice piece of work. :) Pin
kevinl3313-Feb-14 10:06
memberkevinl3313-Feb-14 10:06 
GeneralMy vote of 5 Pin
cblessinger27-Aug-13 10:23
membercblessinger27-Aug-13 10:23 
QuestionWhat Happend with MDB databases? Pin
dafepi200429-Dec-10 18:32
memberdafepi200429-Dec-10 18:32 
QuestionProfileCommon Pin
Terppe9-Dec-09 2:02
memberTerppe9-Dec-09 2:02 

nice artikel.
I tried to implement in a webb Application not web-site under VS2008.

failure ProfileCommon not found.

Do you know a way?

AnswerRe: ProfileCommon Pin
daegan9-Dec-09 14:17
memberdaegan9-Dec-09 14:17 
GeneralRe: ProfileCommon Pin
Terppe14-Dec-09 6:25
memberTerppe14-Dec-09 6:25 

General General    News News    Suggestion Suggestion    Question Question    Bug Bug    Answer Answer    Joke Joke    Praise Praise    Rant Rant    Admin Admin   

Use Ctrl+Left/Right to switch messages, Ctrl+Up/Down to switch threads, Ctrl+Shift+Left/Right to switch pages.

Permalink | Advertise | Privacy | Cookies | Terms of Use | Mobile
Web02 | 2.8.181218.1 | Last Updated 6 Dec 2009
Article Copyright 2009 by daegan
Everything else Copyright © CodeProject, 1999-2018
Layout: fixed | fluid