Comments on: Easy login recovery without compromising security http://jamesmckay.net/2008/06/easy-login-recovery-without-compromising-security/ because there are few things that are less logical than business logic Sun, 20 May 2012 20:03:52 +0000 hourly 1 http://wordpress.org/?v=3.3.2 By: James http://jamesmckay.net/2008/06/easy-login-recovery-without-compromising-security/comment-page-1/#comment-131 James Tue, 22 Jul 2008 18:40:32 +0000 http://jamesmckay.net/2008/06/how-to-let-users-recover-their-logins-easily-without-compromising-security/#comment-131 It's a bit awkward because the ASP.NET membership provider and login controls aren't really designed with this kind of scenario in mind, so you will need to do a bit of coding to achieve it rather than the usual drag and drop. In particular: 1. Changing a password with the ASP.NET membership provider requires both the old password and the new password. However, you can get round this by calling <code>MembershipProvider.ResetPassword</code> and passing the result to <code>MembershipProvider.ChangePassword</code>. 2. You'll need to roll your own equivalent to the <code>PasswordRecovery</code> control as it isn't designed with this in mind. It either sends out the user's old password or else it resets it to a new one and sends that instead. Also, if you want to send out links that expire after, say, a couple of hours or so, you will need to add an extra table to the database to contain them. It’s a bit awkward because the ASP.NET membership provider and login controls aren’t really designed with this kind of scenario in mind, so you will need to do a bit of coding to achieve it rather than the usual drag and drop. In particular:

1. Changing a password with the ASP.NET membership provider requires both the old password and the new password. However, you can get round this by calling MembershipProvider.ResetPassword and passing the result to MembershipProvider.ChangePassword.

2. You’ll need to roll your own equivalent to the PasswordRecovery control as it isn’t designed with this in mind. It either sends out the user’s old password or else it resets it to a new one and sends that instead. Also, if you want to send out links that expire after, say, a couple of hours or so, you will need to add an extra table to the database to contain them.

]]> By: chad http://jamesmckay.net/2008/06/easy-login-recovery-without-compromising-security/comment-page-1/#comment-130 chad Mon, 21 Jul 2008 23:00:35 +0000 http://jamesmckay.net/2008/06/how-to-let-users-recover-their-logins-easily-without-compromising-security/#comment-130 Hi James, Thanks for the post. I was curious if you found a way to implement a link-based password reset function in a MembershipProvider implementation. As far as I can tell, one of the existing methods would have to be hijacked in order to do it. Is there a more elegant way? Thanks, Chad Hi James,

Thanks for the post. I was curious if you found a way to implement a link-based password reset function in a MembershipProvider implementation. As far as I can tell, one of the existing methods would have to be hijacked in order to do it. Is there a more elegant way?

Thanks,
Chad

]]>