Reputation:
Reset password link - User id
I create a link to reset a user password like this :
https://localhost:5001/ResetPassword?id=a33183db-f7f6-45aa-b8dc-7fe101e04682&token=CfDJ8KXvGzIVoh9Knrlx
id is the user id ([dbo].[AspNetUsers].[Id]) and token is the result of UserManager.GeneratePasswordResetTokenAsync
Is there a security risk to put the user id directly in the url? Is it disadvised?
Upvotes: 1
Views: 448
Answers (1)
Reputation: 35106
It all depends on your requirements and what you consider secure. In 99% application passing a random (looking) GUID in a link will not give any information to the external attacker. Unless somewhere in your application you have a page that shows user information based on ID (i.e. http://localhost/users/{id} ). But that can be counted as a vulnerability in itself (though depends on application).
So in this case I would say there is no major issue with giving out an ID. However if you are very paranoid, you can omit the ID and only pass a token in the link. Then on password reset page you can ask for an email again, get userID from that email and proceed with password reset.
Upvotes: 2
Related Questions
- ASP.NET Identity reset password
- ASP.NET Identity change password
- How can I retrieve a user from a password reset token in ASP.NET Core?
- reset user lockout by sending a reset account link using asp net identity 2.1
- ASP.NET Identity Password Reset Token
- Identity 2.0 Reset password by Admin
- How do I implement password reset with ASP.NET Identity for ASP.NET MVC 5.0?
- ASP.NET MVC and Identity - Reset password doesn't work
- Reset ASP.NET Identity password fails
- Asp.Net Identity 2 Password reset link No of clicks