Can i use PasswordRecovery Control ASP.NET (Membership) Without Wizard structure? Without SuccessTemplate and Question Template?

Question

I am using the PasswordRecovery Control in my ASP.NET WebForms Application (C#), now the thing is, When we are using PasswordRecovery Control, we are forced to use Wizard Control, which means, if the user enters username correctly, it will then hide textbox and display success message (or whatever you put in SuccessTemplate).

Now, the issue is by this way, when Unauthorized user, tries to access the application, they can try this control to get the actual username from the application (security risk). So, if they try the wrong username, they will get the "UserNameFailureText" and if they will enter the proper username, they will see the next template (SuccessTemplate) which will show a success message (By this way, they can get that the entered username is available in the system or not), so I want to remove the wizard structure, in all scenario, the textbox with a username will stay on the screen, and no matter what user enters, he will see a generic message "if you have entered the correct username, you will receive an email" Like that.

If anyone has any idea whether it's possible in PasswordRecovery control, or should I have to build a custom Page?

PS: I have tried removing SuccessTemplate from the page, it will automatically take the default success template.

Answer 1

I don't see why you can't just create a page from scratch? All that text box will do is check if the user exists, send them the email, and display your message. There not a whole lot of reasons thus to use the built-in template.

So, a simple button re-set password can run some code behind, send the re-set email, and set a label or text box, or even some "div" as visible = true to display your message. You don't mention or note that authentication provider you are using - but given the built in templates - then that suggests FBA, and thus the tables that drive the site and hold user + passwords should be fully available to your code behind.

On the other hand, you might have to add some kind of password re-set table, and say include a GUID generated ID, and the datetime. That way, the link you send in the email is specific to the one user - and has a limited time before that link expires.

Or I suppose the link in the email just directs them to the new password page - but I tend to toss in a GUID that is checked against that new re-set table. With the guid, then when they click on their email link, you can display their name, and only prompt for the new password. The email link simply includes that GUID as a parameter, and you pull that one row from the re-set table to get who is about to re-set their password.