Mr Lahey
Mr Lahey

Reputation: 676

Reset/Forgot password functionality in MVC 2 with default asp.net membership provider

I currently run a MVC2 website using the default Membership provider. Everything works great, but now I find the needs for forgot password functionality.

After some googling the only good implementations I can find are based around having using the machine key for security or the question and answer functionality.

The problems with those implementations is I already have a rather large userbase. I cannot swap my passwords to machine key now as I am using a hash system already.

passwordFormat="Hashed"

I also do not want to force existing users to add a question and answer after the fact. Question and answer is also less ideal as if they forget that info as well they are out of luck.

My ideal implementation is a user would click forgot password, enter their username or email(ideally email). They would then receive an email with either their current password(I believe this is impossible with the hash method I am using), a new randomized password they are told to change, or a link with a token that lets them reset the password once clicking it.

Are there any good guides out there for doing this quickly? Everything I can find either relates to using a machine key method or question and answer. I'm quite surprised I couldn't find anything as this is very common web functionality. I was surprised it's not even a part of the default membership provider that MVC comes with.

I realize the token is the most secure followed by the randomized password, but for now I'm pretty open to any of those 3 scenarios.

If you need any more info please let me know.

Upvotes: 0

Views: 1332

Answers (1)

Bojin Li
Bojin Li

Reputation: 5799

Sending the user an email to change their password is a good solution, if the user's email address is already linked to his/her account somehow. It would be ideal of the your User Names are required to be email addresses. Here is how I would do it

  1. Create a ForgotPassword action on the Controller that manages your accounts. The HttpGet version just serves the "please enter email address" view, while the HttpPost version validates the email address, making sure it belongs to the user.
  2. If email address is valid, send the user an email. In that email you should have a link with the format "{Your Account Controller}ChangePassword?id={User Name of user that requested the password change, I would recommend you scramble this for security}"
  3. Your HttpGet ChangePassword action will take the id, map it to the user in your system. Then serve the corresponding view for the user to change their password.
  4. Your HttpPost ChangePassword action will update the users old password with the new one.

With this approach you won't have to email them a password, you are essentially making a feature that allows the user to change his/her password.

Upvotes: 2

Related Questions