Results 1 to 8 of 8

Thread: Password reset link question

  1. #1

    Thread Starter
    Hyperactive Member
    Join Date
    Jun 2014
    Posts
    469

    Password reset link question

    Hello

    I have the following code that checks if a user - who wants to reset his forgotten password and has completed the relevant
    email address field - exists in my database:

    Code:
    Protected Sub btnForgot_Click(ByVal sender As Object, ByVal e As System.EventArgs) Handles btnForgot.Click
    
            Const ConnectionString As String = "Provider=Microsoft.Jet.OLEDB.4.0;Data Source=|DataDirectory|students.mdb;"
    
            Dim uniqueCode As String = Guid.NewGuid().ToString("N")
            Dim recordExists As Boolean = False
    
             Using conn As New OleDbConnection(ConnectionString)
                Using cmd As OleDbCommand = conn.CreateCommand()
                    cmd.CommandText = "UPDATE university SET uniqueCode = @uniqueCode WHERE strEmail = @strEmail"
                    cmd.Parameters.AddWithValue("@uniqueCode", uniqueCode)
                    cmd.Parameters.AddWithValue("@strEmail", strEmailTextBox.Text.Trim())
    
                    conn.Open()
                    Dim recordsAffected As Integer = cmd.ExecuteNonQuery()
                    If recordsAffected <> 0 Then recordExists = True
                End Using
            End Using
    
            If recordExists Then
    
                Dim builder As New UriBuilder(Request.Url)
                builder.Path = VirtualPathUtility.ToAbsolute("~/newPassword.aspx")
                builder.Query = "uniqueCode=" & HttpUtility.UrlEncode(uniqueCode)
    
                Dim link As String = builder.Uri.ToString()
    The user is then sent an email by SMTP which works but, so far, that email does not include a link for him to click on to take him to the newPassword.aspx file mentioned in the code above for him to reset his password. I understand that this is done using a randomly-generated link which should no longer be valid after a password has been reset.

    Should I be looking at something like this to generate the link

    Code:
    Public Shared Function GeneratePasswordResetToken (strEmailValue(users' email address) As String, 
    tokenExpirationInMinutesFromNow As Integer) As String
    
    Dim strEmailValue As String 
    Dim tokenExpirationInMinutesFromNow As Integer 
    Dim returnValue As String 
    
    returnValue = WebSecurity.GeneratePasswordResetToken(strEmailValue, tokenExpirationInMinutesFromNow)
    Yet, there is no mention in this code, is there, of a URL or my newPassword.aspx file where the user should be heading to? And where do I place this in my code? In myMessage.body of my SMTP code? There are very limited tutorials on this subject on the Net.

    Thanks for any advice.

    Steve

  2. #2
    Super Moderator jmcilhinney's Avatar
    Join Date
    May 2005
    Location
    Sydney, Australia
    Posts
    110,299

    Re: Password reset link question

    Are you using Microsoft's Simple Membership provider? If not then that second code snippet is useless because it assumes that you are.

    However you generate the token, you would append it to the query string of the link you provide in the email. When the user follows the link, you can recover the token from the query string and validate it. A membership provider like Simple Membership will do the validation for you.

  3. #3

    Thread Starter
    Hyperactive Member
    Join Date
    Jun 2014
    Posts
    469

    Re: Password reset link question

    Hello jmcilhinney

    That's a start, thanks.

    No, I have not used Simple Membership or any of the Membership attributes anywhere in these pages (I probably should have done so at the beginning, but it's a bit late now).

    I think I understand. The token needs to relate back to these lines:

    Code:
    Dim builder As New UriBuilder(Request.Url)
                builder.Path = VirtualPathUtility.ToAbsolute("~/newPassword.aspx")
                builder.Query = "uniqueCode=" & HttpUtility.UrlEncode(uniqueCode)
                Dim link As String = builder.Uri.ToString()
    Thanks again

  4. #4
    Super Moderator jmcilhinney's Avatar
    Join Date
    May 2005
    Location
    Sydney, Australia
    Posts
    110,299

    Re: Password reset link question

    Assuming that that uniqueCode is your token, you need to either store that against the user or else be able to regenerate it again when that user actually tries to reset their password.

  5. #5

    Thread Starter
    Hyperactive Member
    Join Date
    Jun 2014
    Posts
    469

    Re: Password reset link question

    Yes, I have it stored here in Access in my preliminary attempts

    Name:  stored.jpg
Views: 436
Size:  7.7 KB

  6. #6
    King of sapila
    Join Date
    Oct 2006
    Location
    Greece
    Posts
    6,597

    Re: Password reset link question

    Hi.
    An easy way, that is used in many forums is to send the email to a page with unique code. I'm not sure about the simple membership provider since I believe it needs an asp membership database (at least that was the case in asp.net, not sure about mvc asp.net). From what I see you have your own membership database so I will provide the answer based on that assumption.

    So when a user clicks to reset what you do is create a GUID and an expiration date (as you have in your database) and send the email to it. There is no need for hash as what you do is send the GUID on the page and you then mark the expiration date, a date before the expire (or a bit with used = 0 - 1) so that GUID cannot be used again. Then the page that you have send the GUID will read the querystring part (GUID) of the page and check against the database. If there is a uniquecode match then the user can change the password, else the GUID should be disabled, as mentioned before.
    I nice addition would be to have the user enter his/her username, along with the password so you can make the match more easily.
    Be sure to have the page redirect to some login page if there is no GUID or and empty querystring to avoid hack attempts and showing a page that do not need to show but only on pass reset by email.

    So --> email send --> page get's GUID through querystring read--> user enters username and new password --> reset and disable GUID.
    ἄνδρα μοι ἔννεπε, μοῦσα, πολύτροπον, ὃς μάλα πολλὰ
    πλάγχθη, ἐπεὶ Τροίης ἱερὸν πτολίεθρον ἔπερσεν·

  7. #7
    Junior Member
    Join Date
    Nov 2018
    Posts
    27

    Re: Password reset link question

    Hi Steve
    I was using your example as a base example for something that I was doing.

    -On the reset page-
    Code:
    IMPORTS SYSTEM.NET.MAIL
    
    Protected Sub SendMail_click(ByVal sender As Object, ByVal e As System.EventArgs) Handles btnForgot.Click
    
            Dim EmailValidate = EmailCheck(Me.UsersEmail.Text) 'VALIDATE EMAIL '
    
            Dim uniqueCode As String = Guid.NewGuid().ToString("N")
            Dim builder As New UriBuilder(Request.Url)
            builder.Path = VirtualPathUtility.ToAbsolute("~/Public/VerificationPage.aspx")
            builder.Query = "uniqueCode=" & HttpUtility.UrlEncode(uniqueCode)
            Dim link As String = builder.Uri.ToString()
    
            Dim msg As System.Net.Mail.MailMessage = CreateMessage(link)
            msg.IsBodyHtml = False
            Dim smtp As New SmtpClient
            smtp.Send(msg)
        End Sub
    
      Private Function CreateMessage(ByVal link As Object) As System.Net.Mail.MailMessage
            'Const ToAddress As String
            Dim ToAddress = Me.UsersEmail.Text 'TO
    
            Dim md As MailDefinition = New MailDefinition()
            md.BodyFileName = "~/Recovery.txt"
            md.CC = "YOURADDRESS@ME.COM"
            md.From = "FROMADDRESS@ME.COM"
            md.Subject = "RECOVERY"
    
            Dim replacements As ListDictionary = New ListDictionary()
            replacements.Add("<%To%>", ToAddress)
            replacements.Add("<%Verify%>", link)
    
            Dim fileMsg As System.Net.Mail.MailMessage
            fileMsg = md.CreateMailMessage(ToAddress, replacements, Me)
    
            Return fileMsg
        End Function


    --On the verification page/ Must be in the root folder public facing --
    Code:
    Protected Sub Page_Load(ByVal Sender As Object, ByVal e As System.EventArgs) Handles Me.Load
            If String.IsNullOrEmpty(Request.QueryString("uniqueCode")) Then
                Me.statusMessage.Text = "The USER ID was not found." 
    ELSE IF
    Dim tmpValue1 = Request.QueryString("uniqueCode") 'VALIDATE AGAINST YOUR DATABASE 
    
            End If
    
        End Sub '

  8. #8
    Junior Member
    Join Date
    Nov 2018
    Posts
    27

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  



Click Here to Expand Forum to Full Width