Security of password reset in ASP.NET app

Question

I have an ASP.NET that allows users to reset passwords.

The process is

1. User clicks on reset link via email. The link contains a security token.
2. User gets taken to page 1 of app and answers security questions
3. If questions right then proceed to page 2 and reset passwords.

All data is stored securely in a database etc. My main concern is the interaction between page 1 and 2 and ensuring that people cant go directly to page 2, to change their password.

To protect against this I plan to.

1. Always check the referring page is page 1 when on page 2 and bounce if its not
2. Put the security token that comes in the email link in the session on page 1 and only allow to use page 2 if this is still in the session.
3. Have low session timeout so have limited time to enter password. Could also record in the database, the time that they completed page 1.

My question is. Is this a cunning plan or can anyone see a flaw in it?

Answer 1

Step 1 of your plan will probably not work very well, relying on referrer values to be available isn't recommend since it's a) easy to spoof, b) often disabled by paranoid users.

Step 2 sounds like you want to implement a CSRF token type approach, this is a good idea.

The main thing to protect is the security token sent in the email, as long as the attacker can't determine that token without reading email it is relatively safe. If the attacker can read the users email then just about any password recovery scheme will be broken.

Answer 2

Why don't you keep the user on the same page instead? I would use a WizardControl.

If you decide to stay with the two page approach, you can set a flag in your database when the security questions for a given token have been answered correctly. In page 2 you check if the flag is set, if it is not -> redirect to page 1.

Answer 3

I thought the token should be stored in the database and invalidated if:

• a certain timespan elapses
• a new email is generated
• user resets the password