How should I implement "Forgot your password" in ASP.NET MVC?

Asked 22/8, 2009 at 19:34 Answered 14/2, 2013 at 22:3

I'm using the standard SqlMembershipProvider that comes with the ASP.NET MVC demo.

I'm interested in implementing a "Forgot your password" link on my site.

What is the correct way for this feature to be implemented? Should I overwrite the password with a temporary one and email it to their registered email?

Kinakinabalu answered 22/8, 2009 at 19:34 Comment(0)

Based on the nature of the application, the Best practice for the forgot password should be in following order

Allow the user to verify the Secret/Question for a maximum of 3 to 5 attempts
On successful validation, Send an e-mail with random generated password with a validity of 24hrs.
The e-mail must contain only the password but not both username/password.
When user logs in with temporary password, then user must be forced to create a new password before going to home page.

Picrate answered 23/8, 2009 at 4:13 Comment(0)

The provider will automatically do the reset for you:

http://msdn.microsoft.com/en-us/library/system.web.security.sqlmembershipprovider.resetpassword.aspx

The sample just returns the new password to the browser instead of emailing the user but uses the secret question / answer that can be configured with the provider.

This sample gets the password and emails it:

http://msdn.microsoft.com/en-us/library/system.web.security.sqlmembershipprovider.getpassword.aspx

I think either approach is safe. The email it step is a bit safer since the user will have to know the question/answer and email password to hack an account.

I realize these samples are not using MVC but I am sure it's enough to get you going. :)

Fanny answered 22/8, 2009 at 19:45 Comment(0)

Surely it is better to email the user a link with some sort of impossible to guess URL (say containing a random Guid. When the user clicks the URL they are able to reset the password. The URL should be good for one use only, and should expire after a set time.

Veats answered 17/1, 2013 at 7:34 Comment(0)

It depend what type of membership provider you are using. But I will recommend using simple membership provider for authentication for more detail please visit the following link

Here is some code for you

[HttpPost]
[AllowAnonymous]
public ActionResult ForgotPassword(ForgotPasswordModel model)
    {
      .
      .
      .  
      .
                if (WebSecurity.UserExists(model.UserName))
                {
               var token = WebSecurity.GeneratePasswordResetToken(model.UserName, 60);
                  .
                  .
                  .
                  .                        
                    // send this token by email
                }
                else
                {
                    ModelState.AddModelError("", "Could not find User");
                }
            }
      return View(model);


    }

 [HttpPost]
     public ActionResult ResetPassword( ResetPasswordModel model)
    {
        string token = Request.Params["token"];
        if (!string.IsNullOrEmpty(token))
        {
            if (WebSecurity.ResetPassword(token, model.NewPassword))
            {
        // send email…….. or                                          
                return View();
            }
        }

Seadon answered 14/2, 2013 at 22:3 Comment(0)

Recommended topics

Hot tags