0

I am implementing my own reset password in ASP.NET. In reset password, first I create a random string and mail it to user email.For the link in email like http://xyz.com/account/forgot?random=xxxx&userid=xx.I created a httpget type action forgot which show return a view with input tags for passwords if randomid and userid are validated. But in httppost type of forgot, I have confusion about the parameters. I have forgotModel having 2 properties password and confirmpassword.If I just pass forgotmodel to httppost action, then I cannot query user from database.I think I should pass randomId as parameter.But, I am getting how to grab randomID from url of httpget action (If I do so, is it safe?)? Please guide me, I got stuck.. Thanks in advance

Improve this question
4
  • Are you using SimpleMembership? Commented Apr 13, 2013 at 16:02
  • No, I am using custom membership Commented Apr 13, 2013 at 16:06
  • Please show the code that you've gotten stuck on (your HttpPost action and the forgotModel). Commented Apr 15, 2013 at 14:25
  • i got solution...below answer Commented Apr 16, 2013 at 10:05

1 Answer 1

Reset to default
1

Are you using like Html.BeginForm("action","controller"), If so then you will loose querystring parameters. Since HttpGet and HttpPost methods of ForGotPassword(..) have same action name, You can just use Html.BeginForm(). So, the form will post data to the page url and you will get querystring along with it.

in your http post method you can define like,

    [HttpPost]
    public ActionResult ForGot(ForgotModel model, string random,strung userid)
    {
     :
     :
    }

  • If you do not want to follow the above approach, then in httpget method write to ViewBag/ViewData and put them as hidden field in view. Then you can receive them as input to Method.

    [HttpGet]
public ActionResult ForGot(string random,strung userid)
{
 ViewBag.Random =random;
 Viewbag.Userid =userid;
 :
 :
} 
[HttpPost]
public ActionResult ForGot(ForgotModel model, string random,strung userid)
{
 :
 :
}

and , in view

@Html.BeginForm("ForGot","Account"){
:
 @Html.Hidden(ViewBag.Random)
 @Html.Hidden(ViewBag.Userid)
:
}
Improve this answer
Sign up to request clarification or add additional context in comments.

3 Comments

+1 , In case you are susceptible in keeping the id in hidden field , which you should not , because it is the same as you passed in the querystring , you can also use the Session variable
@Manas, I don't want to use hidden field,because of suspectible attacks.The first approach can be better.Thanks
Seems rather trivial to forge the data for the post method and reset an arbitrary user's password?

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.