Reputation: 2622
ASP.Net MVC Identity Forgotten Password
I have setup a quick page to accept an email address which will send an email to it which will later contain a link to reset password or a new temporary one.
My project is a new ASP .Net MVC project using Identity. I thought the best way to reset it would be to send a link to the email which when clicked allows the user to enter a new one but then I'm not sure what to put on the page the link is directed to, to allow this functionality and keep the site secure.
Is it simply easiest in this case to send a new temporary one?
Upvotes: 4
Views: 1820
Answers (2)
Reputation: 4763
You can find a complete sample that uses "Forgot password" functionality in the prerelease version of "Microsoft ASP.NET Identity Samples 2.1.0-alpha1" NuGet package.
Steps
- Create Empty Web Application project
- Install sample project: Install-Package Microsoft.AspNet.Identity.Samples -Pre
- Start the application and register a new user.
- Go to Log in page an click on "Forgot password". Then add the recent registered user e-mail.
Then, you will be able to debug the application checking the "Forgot password" process.
Upvotes: 1
Reputation: 13765
This was too long to fit in a comment so hopefully I don't get downvoted without actual code examples :O
A common solution that I've seen:
When a user requests a password reset, record a guid/random hash and expiration datetime to the user's information in your user store (db most likely).
An email with a link to a temporary page is sent to the user's email address on file (this solution does require a valid email address).
Once the temporary page is hit, the link can be set to immediately expire (set the expiration date to datetime.now, or remove the guid/hash from the user info, etc).
This temporary page URL would likely have the guid/hash for the recorded user in the query string, so it should be pretty hard to find without having the link in the email. For added security, the user can be required to put in the username/email that requested the password reset (as there should potentially be no mention of usernames/passwords on the page. Once this validation is done (or not) give the user the appropriate fields to reset their password.
Another final note on the "forgot password link" don't provide any information on whether or not a username "does not exist" as this can give the potential of finding valid user names on your site.
EDIT:
here's a previous stack overflow question that might explain it better than I did (don't look at the "accepted" answer, look at the most upvoted answer. :)
Generate temporary URL to reset password
Upvotes: 1
Related Questions
- Forgot Password with asp.net identity
- ASP.NET Identity change password
- Forgot password in aspnet identity
- Password Recovery in ASP.NET MVC5
- Getting an error while going to reset password
- Asp net password recovery
- Changing password asp.net identity
- ASP.NET MVC and Identity - Reset password doesn't work
- Reset ASP.NET Identity password fails
- ASP.NET Membership user forgot password