locked
How do I remove username from MembershipProvider password recovery email? RRS feed

  • Question

  • User695372294 posted

    I'm using the ASP.NET 4.0 MembershipProvider to control access to one of my websites. One of its facilities is the asp:PasswordRecovery control. A user is sent a password reminder after entering their username. My problem is that this email also includes the username, which is not desirable from a security point of view.

    How do I change the content of that email, which is currently being generated from within MembershipProvider rather than my own coding?

    Wednesday, February 5, 2020 11:45 AM

Answers

  • User695372294 posted

    Problem now resolved. I created a text file called PasswordRecovery.txt containing my preferred wording for the email body, including the placeholder <%Password%>.

    I then added the following line to the HTML. When the email is sent it replaces the placeholder with the actual password. You could also use use the placeholder <%UserName%>, though I chose not to.

    <MailDefinition BodyFileName="~/App_Data/PasswordRecovery.txt"></MailDefinition>

    It was the following article that guided me to this solution.

    https://docs.microsoft.com/en-us/aspnet/web-forms/overview/older-versions-security/admin/recovering-and-changing-passwords-vb

    • Marked as answer by Anonymous Thursday, October 7, 2021 12:00 AM
    Wednesday, February 5, 2020 5:48 PM

All replies

  • User753101303 posted

    Hi,

    You mean without using the control features found in the documentation? Most of the source is available so you can have a look at https://referencesource.microsoft.com/ for ASP.NET 4.x code.

    You'll likely find it is handled by the control itself rather than by using the underlying membership which is pretty basic if I remember (and quite a bit outdated).

    Wednesday, February 5, 2020 12:33 PM
  • User695372294 posted

    PatriceSc

    Hi,
    You mean without using the control features found in the documentation? Most of the source is available so you can have a look at https://referencesource.microsoft.com/ for ASP.NET 4.x code.

    You'll likely find it is handled by the control itself rather than by using the underlying membership which is pretty basic if I remember (and quite a bit outdated).

    Hi Patrice,
    Your link takes me to a page that has the heading .NET Framework 4.8 and a search for .NET 4.0 doesn't seem to get me very far. The following link seems more likely to be useful, but I'm struggling to see how to exploit this on my own Web Form. Please note that I am a part-time, unpaid and self-taught ASP.NET programmer. My knowledge is seldom more than skin deep, so I am probably in need of a bit more hand holding on this. 

    https://docs.microsoft.com/en-us/dotnet/api/system.web.ui.webcontrols.passwordrecovery.maildefinition?view=netframework-4.0

    I am aware that ASP.NET Identity has replaced MembershipProvider as the preferred solution, but it appears to solve problems I don't have, so it has never seemed a priority to migrate to that solution, especially when my available time is rather limited.

    EDIT:  It looks like I need to use the SendingMail event to specify some subproperty of the MailDefinition class, but I have not yet found a subproperty that seems relevant to my requirements. 

    Wednesday, February 5, 2020 1:41 PM
  • User753101303 posted

    For now it seems the simplest option would be :

    void PasswordRecovery1_SendingMail(object sender, MailMessageEventArgs e)
      {
        e.Message.IsBodyHtml = false;
        e.Message.Subject = "New password on Web site.";
        // According to the doc you have a MailMessageEventArgs.Message which is the generated MailMessage so you could likely use 
    e.Message.Message.Body="My own custom message"; // Use other properties if needed to generate the message you want }

    AFAIK it is not handled at all at the membership provider level (in case you tried already and wanted a provider level solution).

    I don't suggest to use ASP.NET identity right away. It is just a quick note about something you could consider later.

    Wednesday, February 5, 2020 2:13 PM
  • User695372294 posted

    PatriceSc

    For now it seems the simplest option would be :

    void PasswordRecovery1_SendingMail(object sender, MailMessageEventArgs e)
      {
        e.Message.IsBodyHtml = false;
        e.Message.Subject = "New password on Web site.";
        // According to the doc you have a MailMessageEventArgs.Message which is the generated MailMessage so you could likely use 
        e.Message.Message.Body="My own custom message"; // Use other properties if needed to generate the message you want
      }

    Just before you made your last post, I had tried using exactly that solution, though I wrote it in VB.NET and used e.Message.Body = "My message" (I note that you used e.Message.Message.Body, but that just creates an error for me). Unfortunately, a test of this code via Local Host did not replace the normal contents of the password reminder email.

    Even If I manage to fix that, I am left wondering how I could reference the retrieved password in the email body.

    EDIT:  I have now succeeded in replacing the body of the password reminder email with some sample text and am now searching again for a way to reference the password.

    Wednesday, February 5, 2020 2:26 PM
  • User753101303 posted

    Not sure why I typed e.Message.Message. This is e.Message.Body as you have done...

    Try perhaps to use https://docs.microsoft.com/en-us/visualstudio/debugger/using-breakpoints?view=vs-2019 to make 100% sure this code is called (or changing the subject does work ???)

    If not, you may have to add OnSendingMail="PasswordRecovery1_SendingMail" in the markup for your ASPX control or use maybe https://docs.microsoft.com/en-us/dotnet/visual-basic/language-reference/statements/handles-clause

    Check against what you are doing usually with VB.NET to call this kind of event.

    Else I would have to try to see what happens and if I get the same problem on my side.

    Wednesday, February 5, 2020 3:13 PM
  • User695372294 posted

    Not sure why I typed e.Message.Message. This is e.Message.Body as you have done...

    Try perhaps to use https://docs.microsoft.com/en-us/visualstudio/debugger/using-breakpoints?view=vs-2019 to make 100% sure this code is called (or changing the subject does work ???)

    If not, you may have to add OnSendingMail="PasswordRecovery1_SendingMail" in the markup for your ASPX control or use maybe https://docs.microsoft.com/en-us/dotnet/visual-basic/language-reference/statements/handles-clause

    Check against what you are doing usually with VB.NET to call this kind of event.

    Else I would have to try to see what happens and if I get the same problem on my side.

    You may not have seen the edit I made to my previous post, as it was made at about the same time as you made your last post. I can now change the body of the password retrieval email, but I have not yet found a way to reference the password in that email. 

    Wednesday, February 5, 2020 4:48 PM
  • User695372294 posted

    Problem now resolved. I created a text file called PasswordRecovery.txt containing my preferred wording for the email body, including the placeholder <%Password%>.

    I then added the following line to the HTML. When the email is sent it replaces the placeholder with the actual password. You could also use use the placeholder <%UserName%>, though I chose not to.

    <MailDefinition BodyFileName="~/App_Data/PasswordRecovery.txt"></MailDefinition>

    It was the following article that guided me to this solution.

    https://docs.microsoft.com/en-us/aspnet/web-forms/overview/older-versions-security/admin/recovering-and-changing-passwords-vb

    • Marked as answer by Anonymous Thursday, October 7, 2021 12:00 AM
    Wednesday, February 5, 2020 5:48 PM
  • User-719153870 posted

    Hi haggis999,

    Glad to know the problem has been resolved, you can mark the posts which help solved the problem as the answer so that it could help people who met the same problem.

    Best Regard,

    Yang Shen

    Thursday, February 6, 2020 3:47 AM