Password reset for membership provider

Question

User-1767698477 posted

I don't understand why they write this code the way they do here at:

https://docs.microsoft.com/en-us/dotnet/api/system.web.security.membershipuser.resetpassword?view=netframework-4.8

The idea here is an unauthenticated user comes to this page to reset their password. Assuming they know their username, and nothing else like their security question, they are presented with a textbox to enter their username and a 2nd textbox to answer to security question. (but of course there is no security question on the page diplayed)  This code isn't populating the label control with the users security question. Why isn't this working? First it has to look up the username and if it finds a valid username, then it should take the security question and attach it to the label control. But there is only the reset password button with this code. This would require two click events: one to get the security question and one to reset the password.  And as far as resetting it, is better to send an email or just provide the new password right there on the webpage?  So then they can login and change the password. Also, to confirm, is it possible to change the password if they are Hashed format? (i.e. not encrypted) 

Here is what I have at the moment:

<membership defaultProvider="SecurityTutorialsSqlMembershipProvider">
      <providers>
        <!-- Add a customized SqlMembershipProvider -->
        <add
          name="SecurityTutorialsSqlMembershipProvider"
          type="System.Web.Security.SqlMembershipProvider"
          connectionStringName="SecurityTutorialsConnectionString"
          enablePasswordRetrieval="false"
          enablePasswordReset="true"
          requiresQuestionAndAnswer="true"
          applicationName="SecurityTutorials"
          requiresUniqueEmail="true"
          passwordFormat="Hashed"
          maxInvalidPasswordAttempts="5"
          minRequiredPasswordLength="7" minRequiredNonalphanumericCharacters="1"
          passwordAttemptWindow="10"
          passwordStrengthRegularExpression=""/>
      </providers>
    </membership>

Imports System.Web.Security
Partial Class reset_password
    Inherits System.Web.UI.Page
    Public Sub Page_Load(ByVal sender As Object, ByVal args As EventArgs)
        If Not Membership.EnablePasswordReset Then
            FormsAuthentication.RedirectToLoginPage()
        End If

        Msg.Text = ""

        If Not IsPostBack Then
            Msg.Text = "Please enter a user name."
        Else
            VerifyUsername()
        End If
    End Sub

    Public Sub VerifyUsername()
        Dim user As MembershipUser = Membership.GetUser(UsernameTextBox.Text, False)

        If user Is Nothing Then
            Msg.Text = "The user name " & Server.HtmlEncode(UsernameTextBox.Text) & " was not found. Please check the value and reenter your user name."
            QuestionLabel.Text = ""
            QuestionLabel.Enabled = False
            AnswerTextBox.Enabled = False
            ResetPasswordButton.Enabled = False
        Else
            QuestionLabel.Text = user.PasswordQuestion
            QuestionLabel.Enabled = True
            AnswerTextBox.Enabled = True
            ResetPasswordButton.Enabled = True
        End If
    End Sub

    Public Sub ResetPassword_OnClick(ByVal sender As Object, ByVal args As EventArgs)
        Dim newPassword As String = ""

        Try
            newPassword = Membership.Provider.ResetPassword(UsernameTextBox.Text, AnswerTextBox.Text)
        Catch e As NotSupportedException
            Msg.Text = "An error has occurred resetting your password: " & e.Message & "." & "Please check your values and try again."
        Catch e As MembershipPasswordException
            Msg.Text = "Invalid password answer. Please reenter the answer and try again."
            Return
        Catch e As System.Configuration.Provider.ProviderException
            Msg.Text = "The specified user name does not exist. Please check your value and try again."
        End Try

        If newPassword <> "" Then
            Msg.Text = "Password reset. Your new password is: " & Server.HtmlEncode(newPassword)
        Else
            Msg.Text = "Password reset failed. Please reenter your values and try again."
        End If
    End Sub
End Class

<%@ Page Title="" Language="VB" MasterPageFile="~/Site.master" AutoEventWireup="false"
    CodeFile="reset_password.aspx.vb" Inherits="reset_password" %>

<asp:Content ID="Content1" ContentPlaceHolderID="MainContent" runat="Server">
</asp:Content>
<asp:Content ID="Content2" ContentPlaceHolderID="LoginContent" runat="Server">
    <h3>Reset Password</h3>

  <asp:Label id="Msg" runat="server" ForeColor="maroon" /><br />

  Username: <asp:Textbox id="UsernameTextBox" Columns="30" runat="server" AutoPostBack="true" />
            <asp:RequiredFieldValidator id="UsernameRequiredValidator" runat="server"
                                        ControlToValidate="UsernameTextBox" ForeColor="red"
                                        Display="Static" ErrorMessage="Required" /><br />

  Password Question: <b><asp:Label id="QuestionLabel" runat="server" /></b><br />

  Answer: <asp:TextBox id="AnswerTextBox" Columns="60" runat="server" Enabled="false"  />
          <asp:RequiredFieldValidator id="AnswerRequiredValidator" runat="server"
                                      ControlToValidate="AnswerTextBox" ForeColor="red"
                                      Display="Static" ErrorMessage="Required" Enabled="false" /><br />

  <asp:Button id="ResetPasswordButton" Text="Reset Password" 
              OnClick="ResetPassword_OnClick" runat="server" Enabled="true" />

</asp:Content>

Answer 1

User-943250815 posted

If I understand your issue

Send a new password by mail can be a plus, and you have to adapt your code to send it by mail automatically or by a button click.
For you last question, yes you can change password, but it is trick, since all password are hashed before stored.
So you first reset it and use as old password to set a new one, something like

Dim zUser As MembershipUser = Membership.GetUser(zUserName)
Dim zNewPwd As String = tbxNewPwd.Text
zUser.ChangePassword(zUser.ResetPassword, zNewPwd)

Answer 2

User-1767698477 posted

I have the password reset tool working now. I have learnt that you cannot be locked out with  5 password resets otherwise it cannot retrieve the username.

Answer 3

User-943250815 posted

You can control number of invalid attempts in web.config membership section, in your case it is set to maxInvalidPasswordAttempts="5"
There are 2 tasks restricted to site admin, Approve and Unlock user

To Approve:

Dim zUser As MembershipUser = Membership.GetUser(zUserName) If zUser.IsApproved = False Then zUser.IsApproved = True Membership.UpdateUser(zUser) End If

To Unlock

Dim zUser As MembershipUser = Membership.GetUser(zUserName)
If zUser.IsLockedOut = True Then
  zUser.UnlockUser() ' There is no need to use MemberShip.UpdateUser
End If