Login/Register
change password in MVC 4
Asked Answered
Solved asp.net-mvcauthenticationsimplemembership
P

2

13

I am building ASP.NET MVC 4 application. I use Simple Membership provider to manage authentication and authorization within the system. What are the ways of changing the password in this approach. I found a ChangePassword method which takes three parameters, including original password, to operate.

Is there any other way to override/change the password for the user without actually knowing original password?

Poly answered 10/1, 2013 at 16:20 Comment(1)
Aren't you rather looking for a password reset function? If the user doesn't know the original password, how did they log on? And if they're not logged on, exactly which user's password are they going to change?Gailey
B
18

ChangePassword is used when a user wants to change their password - and the current password is their evidence to allow this to happen (think Change Password Screen).

I think the most direct way to do this is to call WebSecurity.GeneratePasswordResetToken() and pass the result into WebSecurity.ResetPassword, along with the new password.

  var token = WebSecurity.GeneratePasswordResetToken("UserName");
  var result = WebSecurity.ResetPassword(token, "NewPassword");
Bovid answered 10/1, 2013 at 16:29 Comment(0)
A
4

There is a detailed article on how to implement password reset/change with SimpleMembership in MVC 4 here. It also includes source code you can download.

This examples uses email to send a URL to the user to click on for password reset. This is more secure than just having the user enter the old password and new password directly on the website because it is another verification of the user. This alleviates the scenario where someone gets a hold of the user password and locks them out by changing the password. This also allows the user to reset the password in the case where they have forgotten the password.

The code to send the email with the link would look something like this.

[AllowAnonymous]
[HttpPost]
public ActionResult ResetPassword(ResetPasswordModel model)
{
    string emailAddress = WebSecurity.GetEmail(model.UserName);
    if (!string.IsNullOrEmpty(emailAddress))
    {
        string confirmationToken =
            WebSecurity.GeneratePasswordResetToken(model.UserName);
        dynamic email = new Email("ChngPasswordEmail");
        email.To = emailAddress;
        email.UserName = model.UserName;
        email.ConfirmationToken = confirmationToken;
        email.Send();

       return RedirectToAction("ResetPwStepTwo");
    }

    return RedirectToAction("InvalidUserName");
}

This creates an email that has a link to a Web API that accepts the token as the id that is passed in. When they click on the link it hits this method.

[AllowAnonymous]
public ActionResult ResetPasswordConfirmation(string Id)
{
    ResetPasswordConfirmModel model = new ResetPasswordConfirmModel() { Token = Id };
    return View(model);
}

This action gets the token from the query string and puts it in the ResetPasswordConfirmationModel that is passed to the view which allows the user to enter the new password. The new password is entered twice to make sure they entered it correctly, which is validate on the page. When they submit this information they are taken to the POST version of this action which actually resets the password.

[AllowAnonymous]
[HttpPost]
public ActionResult ResetPasswordConfirmation(ResetPasswordConfirmModel model)
{
    if (WebSecurity.ResetPassword(model.Token, model.NewPassword))
    {
        return RedirectToAction("PasswordResetSuccess");
    }
    return RedirectToAction("PasswordResetFailure");
}
Arva answered 12/12, 2013 at 15:32 Comment(2)
While this link may answer the question, it is better to include the essential parts of the answer here and provide the link for reference. Link-only answers can become invalid if the linked page changes. - From ReviewClot
@Clot - Good point. I have added the relevant details in my updated answer.Arva

© 2022 - 2024 — McMap. All rights reserved.