locked
Password reset for membership provider RRS feed

  • Question

  • User-1767698477 posted

    I don't understand why they write this code the way they do here at:

    https://docs.microsoft.com/en-us/dotnet/api/system.web.security.membershipuser.resetpassword?view=netframework-4.8

    The idea here is an unauthenticated user comes to this page to reset their password. Assuming they know their username, and nothing else like their security question, they are presented with a textbox to enter their username and a 2nd textbox to answer to security question. (but of course there is no security question on the page diplayed)  This code isn't populating the label control with the users security question. Why isn't this working? First it has to look up the username and if it finds a valid username, then it should take the security question and attach it to the label control. But there is only the reset password button with this code. This would require two click events: one to get the security question and one to reset the password.  And as far as resetting it, is better to send an email or just provide the new password right there on the webpage?  So then they can login and change the password. Also, to confirm, is it possible to change the password if they are Hashed format? (i.e. not encrypted) 

    Here is what I have at the moment:

    <membership defaultProvider="SecurityTutorialsSqlMembershipProvider">
          <providers>
            <!-- Add a customized SqlMembershipProvider -->
            <add
              name="SecurityTutorialsSqlMembershipProvider"
              type="System.Web.Security.SqlMembershipProvider"
              connectionStringName="SecurityTutorialsConnectionString"
              enablePasswordRetrieval="false"
              enablePasswordReset="true"
              requiresQuestionAndAnswer="true"
              applicationName="SecurityTutorials"
              requiresUniqueEmail="true"
              passwordFormat="Hashed"
              maxInvalidPasswordAttempts="5"
              minRequiredPasswordLength="7" minRequiredNonalphanumericCharacters="1"
              passwordAttemptWindow="10"
              passwordStrengthRegularExpression=""/>
          </providers>
        </membership>
    Imports System.Web.Security
    Partial Class reset_password
        Inherits System.Web.UI.Page
        Public Sub Page_Load(ByVal sender As Object, ByVal args As EventArgs)
            If Not Membership.EnablePasswordReset Then
                FormsAuthentication.RedirectToLoginPage()
            End If
    
            Msg.Text = ""
    
            If Not IsPostBack Then
                Msg.Text = "Please enter a user name."
            Else
                VerifyUsername()
            End If
        End Sub
    
        Public Sub VerifyUsername()
            Dim user As MembershipUser = Membership.GetUser(UsernameTextBox.Text, False)
    
            If user Is Nothing Then
                Msg.Text = "The user name " & Server.HtmlEncode(UsernameTextBox.Text) & " was not found. Please check the value and reenter your user name."
                QuestionLabel.Text = ""
                QuestionLabel.Enabled = False
                AnswerTextBox.Enabled = False
                ResetPasswordButton.Enabled = False
            Else
                QuestionLabel.Text = user.PasswordQuestion
                QuestionLabel.Enabled = True
                AnswerTextBox.Enabled = True
                ResetPasswordButton.Enabled = True
            End If
        End Sub
    
        Public Sub ResetPassword_OnClick(ByVal sender As Object, ByVal args As EventArgs)
            Dim newPassword As String = ""
    
            Try
                newPassword = Membership.Provider.ResetPassword(UsernameTextBox.Text, AnswerTextBox.Text)
            Catch e As NotSupportedException
                Msg.Text = "An error has occurred resetting your password: " & e.Message & "." & "Please check your values and try again."
            Catch e As MembershipPasswordException
                Msg.Text = "Invalid password answer. Please reenter the answer and try again."
                Return
            Catch e As System.Configuration.Provider.ProviderException
                Msg.Text = "The specified user name does not exist. Please check your value and try again."
            End Try
    
            If newPassword <> "" Then
                Msg.Text = "Password reset. Your new password is: " & Server.HtmlEncode(newPassword)
            Else
                Msg.Text = "Password reset failed. Please reenter your values and try again."
            End If
        End Sub
    End Class
    
    <%@ Page Title="" Language="VB" MasterPageFile="~/Site.master" AutoEventWireup="false"
        CodeFile="reset_password.aspx.vb" Inherits="reset_password" %>
    
    <asp:Content ID="Content1" ContentPlaceHolderID="MainContent" runat="Server">
    </asp:Content>
    <asp:Content ID="Content2" ContentPlaceHolderID="LoginContent" runat="Server">
        <h3>Reset Password</h3>
    
      <asp:Label id="Msg" runat="server" ForeColor="maroon" /><br />
    
      Username: <asp:Textbox id="UsernameTextBox" Columns="30" runat="server" AutoPostBack="true" />
                <asp:RequiredFieldValidator id="UsernameRequiredValidator" runat="server"
                                            ControlToValidate="UsernameTextBox" ForeColor="red"
                                            Display="Static" ErrorMessage="Required" /><br />
    
      Password Question: <b><asp:Label id="QuestionLabel" runat="server" /></b><br />
    
      Answer: <asp:TextBox id="AnswerTextBox" Columns="60" runat="server" Enabled="false"  />
              <asp:RequiredFieldValidator id="AnswerRequiredValidator" runat="server"
                                          ControlToValidate="AnswerTextBox" ForeColor="red"
                                          Display="Static" ErrorMessage="Required" Enabled="false" /><br />
    
      <asp:Button id="ResetPasswordButton" Text="Reset Password" 
                  OnClick="ResetPassword_OnClick" runat="server" Enabled="true" />
    
    </asp:Content>
    




    Thursday, May 7, 2020 6:07 AM

Answers

  • User-943250815 posted

    If I understand your issue

    Send a new password by mail can be a plus, and you have to adapt your code to send it by mail automatically or by a button click.
    For you last question, yes you can change password, but it is trick, since all password are hashed before stored.
    So you first reset it and use as old password to set a new one, something like

    Dim zUser As MembershipUser = Membership.GetUser(zUserName)
    Dim zNewPwd As String = tbxNewPwd.Text
    zUser.ChangePassword(zUser.ResetPassword, zNewPwd)




    • Marked as answer by Anonymous Thursday, October 7, 2021 12:00 AM
    Friday, May 8, 2020 12:59 AM

All replies

  • User-943250815 posted

    If I understand your issue

    Send a new password by mail can be a plus, and you have to adapt your code to send it by mail automatically or by a button click.
    For you last question, yes you can change password, but it is trick, since all password are hashed before stored.
    So you first reset it and use as old password to set a new one, something like

    Dim zUser As MembershipUser = Membership.GetUser(zUserName)
    Dim zNewPwd As String = tbxNewPwd.Text
    zUser.ChangePassword(zUser.ResetPassword, zNewPwd)




    • Marked as answer by Anonymous Thursday, October 7, 2021 12:00 AM
    Friday, May 8, 2020 12:59 AM
  • User-1767698477 posted

    I have the password reset tool working now. I have learnt that you cannot be locked out with  5 password resets otherwise it cannot retrieve the username.

    Saturday, May 9, 2020 8:05 PM
  • User-943250815 posted

    You can control number of invalid attempts in web.config membership section, in your case it is set to maxInvalidPasswordAttempts="5"
    There are 2 tasks restricted to site admin, Approve and Unlock user

    To Approve:

    Dim zUser As MembershipUser = Membership.GetUser(zUserName) If zUser.IsApproved = False Then zUser.IsApproved = True Membership.UpdateUser(zUser) End If

    To Unlock

    Dim zUser As MembershipUser = Membership.GetUser(zUserName)
    If zUser.IsLockedOut = True Then
      zUser.UnlockUser() ' There is no need to use MemberShip.UpdateUser
    End If



    Sunday, May 10, 2020 2:44 PM