Using a Membership Provider for Private Site

Question

I can't be the first person to have this problem, I must be missing an easy solution. I have inherited a non-public ASP.NET site secured using a forms authentication with a SqlMembershipProvider to secure the site. Everything is working fine with the users the developer manually added to the database.

I need to add an administrative page to allow priviliged users to add and alter user accounts. The membership provider makes it really easy to build one, but the problem I'm having with the SqlMembershipProvider now is the question/answer requirement. The administrator needs to be able to reset the other users' passwords to a temporary password and create a new user account (also with a temporary password). Reseting a password requires either the answer for the user's question or their current password.

I could of course just put in something like "question" and "answer" for all accounts and it would work, but I'm concerned about security risks of doing this. Perhaps I'm being too paranoid though. Creating a custom membership provider, in addition to being a lot of work, doesn't solve this problem because the membership provider base has the same requirements.

Thank you.

Answer 1

Reseting a password requires either the answer for the user's question or their current password

If you are currently not using the question/answers , you can override this in the web.config

requiresQuestionAndAnswer="false"

After that you can do:

        string requesteduserGUIDstring = "some GUID";
        Guid UserID = new Guid(requesteduseridstring.ToUpper());
        MembershipUser mu = Membership.GetUser(UserID);
        mu.ChangePassword(mu.ResetPassword(), tbNewPassword.Text);

If you are using the question/answers, you can add a second provider to your web.config and set only for that provider the same overrule and use that provider ONLY for the reset password functionality,