R – Does ASP.NET Membership have a mechanism to generate password reset URLs

asp.netasp.net-membership

I am using ASP.NET MVC with ASP.NET membership.

Following best practices for 'I forgot my password logic' I want to do the following :

send the user an email with a link to a unique, hidden URL that allows him to change his password
asking for a password reset does NOT reset the password. you need the unique link.

I'm looking for suggestions on the best way to generate this URL, make it valid only temporarily and then validate it. I think the ASP.NET membership standard way is to have a 'security question' which is really a lousy way of doing it.

What would be the best way to generate and validate such a link. SHould I just generate a GUID and put it in the user's profile? I dont think there is any other pre-built right?

Best Answer

Your solution is fine... Generating a GUID is OK for temporary password resets. Just be sure you aren't generating it until the user asks for it, then add it to their profile with a timestamp... and give it a very short window of opportunity, like an hour. Reset/clear it when the user accesses the URL.

Related Solutions

How to not use ASP.Net Membership Security Question and Answer for custom password recovery

What I ended up doing was the following

public string ResetPassword(string email)
        {
            var m_userName = Membership.GetUserNameByEmail(email);
            var m_user = Membership.GetUser(m_userName);
            return m_user.ResetPassword();
        }

then I added a new method to use this value to change the password

public bool ChangeLostPassword(string email, string newPassword)
    {
        var resetPassword = ResetPassword(email);
        var currentUser = Membership.GetUser(Membership.GetUserNameByEmail(email), true);
        return currentUser.ChangePassword(resetPassword, newPassword);

    }

C# – ASP.NET Membership Provider – Reset Password Features – Email Confirmation and Password Change

Rui, I was in a similar boat a few moths ago, and not having had a great deal of exposure to the membership provider before, I struggled to get it implemented properly, because I thought you have to implement and use the whole thing as is, or nothing at all.

Well I soon discovered that you can only use parts of it, not the entire object. For example in my application I have my own user object and my own password and login modules, but I needed to get forms authentication working. So I basically just use the Membership provider for that part. I am not overriding any methods or anything, just use it for FormsAuthentication, then I use my own repositories to changing passwords, verifying username passwords etc.

Here is a snippet from my login code in MVC.

   var authTicket =  new FormsAuthenticationTicket(1, user.UniqueName, DateTime.UtcNow, DateTime.UtcNow.AddHours(2), rememberMe, cookieValues);
    var encryptedTicket = FormsAuthentication.Encrypt(authTicket);
    var authCookie = new HttpCookie(FormsAuthentication.FormsCookieName, encryptedTicket) { Expires = DateTime.UtcNow.AddDays(14) };

    httpResponseBase.Cookies.Add(authCookie);

This enables me to use the FormsAuthentication.SignOut(); methods and other methods the membership provider makes available.

On your question re Create a randomGuid/Cryptographically strong random number, here is a good method you can use, I found it a while ago, and I am sorry but can't remember where on the web

/// <summary>
/// A simple class which can be used to generate "unguessable" verifier values.
/// </summary>
public class UnguessableGenerator
{
    const string AllowableCharacters = "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789/^()";
    const string SimpleAllowableCharacters = "ABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789";

    /// <summary>
    /// Generates an unguessable string sequence of a certain length
    /// </summary>
    /// <param name="length">The length.</param>
    /// <param name="useSimpleCharacterSet">if set to <c>true</c> [use simple character set].</param>
    /// <returns></returns>
    public static string GenerateUnguessable(int length, bool useSimpleCharacterSet = false, string additionalCharacters = "")
    {
        var random = new Random();

        var chars = new char[length];

        var charsToUse = useSimpleCharacterSet ? SimpleAllowableCharacters : AllowableCharacters;
        charsToUse = string.Format("{0}{1}", charsToUse, additionalCharacters);

        var allowableLength = charsToUse.Length;

        for (var i = 0; i < length; i++)
        {
            chars[i] = charsToUse[random.Next(allowableLength)];
        }

        return new string(chars);
    }




    /// <summary>
    /// Generates an ungessable string, defaults the length to what google uses (24 characters)
    /// </summary>
    /// <returns></returns>
    public static string GenerateUnguessable()
    {
        return GenerateUnguessable(24);
    }
}

For Send a unique URL containing the random number to the user's email address, what you need is in your User table or any table a way to store a random id and then use that in a crafted url in an email that the user can use to verify.

This will require you to create a Url that will accept that type of Url, and then you have to extract the parts you need form the querystring and update your user object.

For When confirmed, the user is asked to change password, by default have a bit flag in your table that forces a user to change his password, this will come in handy later too if you need to force a user to change password. So then your login code looks to see if this bit flag is on, and if so, it will force a password change first. Then once the user has changed his password, you will turn this flag off.

Hope this helps.

Best Answer

Related Solutions

How to not use ASP.Net Membership Security Question and Answer for custom password recovery

C# – ASP.NET Membership Provider – Reset Password Features – Email Confirmation and Password Change

Related Topic