Reputation:
How should I implement "Forgot your password" in ASP.NET MVC?
I'm using the standard SqlMembershipProvider that comes with the ASP.NET MVC demo.
I'm interested in implementing a "Forgot your password" link on my site.
What is the correct way for this feature to be implemented? Should I overwrite the password with a temporary one and email it to their registered email?
Upvotes: 15
Views: 26693
Answers (4)
Reputation: 1515
It depend what type of membership provider you are using. But I will recommend using simple membership provider for authentication for more detail please visit the following link
Here is some code for you
[HttpPost]
[AllowAnonymous]
public ActionResult ForgotPassword(ForgotPasswordModel model)
{
.
.
.
.
if (WebSecurity.UserExists(model.UserName))
{
var token = WebSecurity.GeneratePasswordResetToken(model.UserName, 60);
.
.
.
.
// send this token by email
}
else
{
ModelState.AddModelError("", "Could not find User");
}
}
return View(model);
}
[HttpPost]
public ActionResult ResetPassword( ResetPasswordModel model)
{
string token = Request.Params["token"];
if (!string.IsNullOrEmpty(token))
{
if (WebSecurity.ResetPassword(token, model.NewPassword))
{
// send email…….. or
return View();
}
}
Upvotes: 5
Reputation: 346
Surely it is better to email the user a link with some sort of impossible to guess URL (say containing a random Guid. When the user clicks the URL they are able to reset the password. The URL should be good for one use only, and should expire after a set time.
Upvotes: 5
Reputation: 1086
Based on the nature of the application, the Best practice for the forgot password should be in following order
- Allow the user to verify the Secret/Question for a maximum of 3 to 5 attempts
- On successful validation, Send an e-mail with random generated password with a validity of 24hrs.
- The e-mail must contain only the password but not both username/password.
- When user logs in with temporary password, then user must be forced to create a new password before going to home page.
Upvotes: 10
Reputation: 21078
The provider will automatically do the reset for you:
http://msdn.microsoft.com/en-us/library/system.web.security.sqlmembershipprovider.resetpassword.aspx
The sample just returns the new password to the browser instead of emailing the user but uses the secret question / answer that can be configured with the provider.
This sample gets the password and emails it:
http://msdn.microsoft.com/en-us/library/system.web.security.sqlmembershipprovider.getpassword.aspx
I think either approach is safe. The email it step is a bit safer since the user will have to know the question/answer and email password to hack an account.
I realize these samples are not using MVC but I am sure it's enough to get you going. :)
Upvotes: 8
Related Questions
- Asp net password recovery
- ASP.NET Membership user forgot password
- Some questions regarding implementing forgot password functionality in asp.net mvc
- asp.net 3.5 password recovery control in an mvc app?
- Membership ForgotPassword link
- asp.net mvc 3 reset password by admin and force user to change it
- Reset/Forgot password functionality in MVC 2 with default asp.net membership provider
- Implement Forget password in asp.net MVC C#
- implementing "Forgot password" in asp.net mvc 2.0 by asking user email
- Best Practice for Password Reset in ASP.NET MVC