1

i AM WORKING WITH ASP.NET 4.5 web forms: I need users to be able to Reset their Password via email (still working on that), Security Question/Answer and using the Forget Password method.

The problem I have is that, in-order to use the Reset/Change password Method, I need to turn the Security Question/Answer to false. So I created a work around by creating a table which stores the Security Question and Answer.

When the user answers correctly, in addition to entering an ID Number, they are landed on the Reset Password page. It all works great, they can reset password and log in.

My problem: I need the reset password page to not be public, is there a way I can utilize the Username, which I can get from the DB when the user answers correctly, to give access to the Reset Page?

Currently anyone can get to this URL. I was also thinking about Enable/Disable controls on the same page rather than a URL.

Thanks for reading my long story.

Improve this question

1 Answer 1

Reset to default
4

Why don't you use a Guid as a reset-credentials-token; save it some where in the database (some table) and then use the Guid as a query string parameter to the Reset-Password-page? In the Reset-Pswd page, check if the token in the query string is valid. If it is not, tell the user, it's a bad request or something. Let me know, if it's unclear.

In your Login form, use this in your forgot_pswd Click event handler.

var resetToken = Guid.NewGuid();

//Code to insert into a table on the db..
//Have a table something like:
//ResetCredentialsToken(UserId int, Token nvarchar(256), IsExpired int)

YourDAL.InsertPwdToken(userId, resetToken, 0);

Response.Redirect("ResetPswd.aspx?Guid=" + resetToken.ToString());

In the ResetPswd.aspx page, check if the token is a valid one.. in Page_Load 

if (!YourDAL.IsValidToken(userId, resetToken))
   showSomething();
Improve this answer
Sign up to request clarification or add additional context in comments.

5 Comments

Actually that is a great idea. I feel a little less smart. I was planning on it as part of the email reset link. The truth is I do not know how to do it. But I'll get it going in no time. I guess I am just confused about getting the link with the GUID. If you want to give me a jump start, that would be great otherwise I still appreciate the answer. I need to do this for the email, anyway.
Happens. We tend to get lost in out own thoughts pal. I edited the answer now. I don't know what you've got there, it could be VB.NET or C#.. You may have an OLEDB Data access layer, an ADO.NET DAL. I just gave a rough idea in the pseudo code. Let me know if it helps.
Thanks for the example: I am Using SQL Server 2012 and C#/ASP.NET 4.5. So do I first create this token when the user Creates an account? Or do I perform the above when the user clicks the forgot password button/click event?
Create it when he/she correctly answers the secret question. Then send the user, an email containing the hyperlink to reset his/her password.. That hyperlink could be "yoursite/pwdToken=" + guid
Thank you VanKat. This is quite a great start for me. Have a great day!

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.