-
Mar 24th, 2017, 12:38 AM
#1
Thread Starter
Hyperactive Member
Password reset link question
Hello
I have the following code that checks if a user - who wants to reset his forgotten password and has completed the relevant
email address field - exists in my database:
Code:
Protected Sub btnForgot_Click(ByVal sender As Object, ByVal e As System.EventArgs) Handles btnForgot.Click
Const ConnectionString As String = "Provider=Microsoft.Jet.OLEDB.4.0;Data Source=|DataDirectory|students.mdb;"
Dim uniqueCode As String = Guid.NewGuid().ToString("N")
Dim recordExists As Boolean = False
Using conn As New OleDbConnection(ConnectionString)
Using cmd As OleDbCommand = conn.CreateCommand()
cmd.CommandText = "UPDATE university SET uniqueCode = @uniqueCode WHERE strEmail = @strEmail"
cmd.Parameters.AddWithValue("@uniqueCode", uniqueCode)
cmd.Parameters.AddWithValue("@strEmail", strEmailTextBox.Text.Trim())
conn.Open()
Dim recordsAffected As Integer = cmd.ExecuteNonQuery()
If recordsAffected <> 0 Then recordExists = True
End Using
End Using
If recordExists Then
Dim builder As New UriBuilder(Request.Url)
builder.Path = VirtualPathUtility.ToAbsolute("~/newPassword.aspx")
builder.Query = "uniqueCode=" & HttpUtility.UrlEncode(uniqueCode)
Dim link As String = builder.Uri.ToString()
The user is then sent an email by SMTP which works but, so far, that email does not include a link for him to click on to take him to the newPassword.aspx file mentioned in the code above for him to reset his password. I understand that this is done using a randomly-generated link which should no longer be valid after a password has been reset.
Should I be looking at something like this to generate the link
Code:
Public Shared Function GeneratePasswordResetToken (strEmailValue(users' email address) As String,
tokenExpirationInMinutesFromNow As Integer) As String
Dim strEmailValue As String
Dim tokenExpirationInMinutesFromNow As Integer
Dim returnValue As String
returnValue = WebSecurity.GeneratePasswordResetToken(strEmailValue, tokenExpirationInMinutesFromNow)
Yet, there is no mention in this code, is there, of a URL or my newPassword.aspx file where the user should be heading to? And where do I place this in my code? In myMessage.body of my SMTP code? There are very limited tutorials on this subject on the Net.
Thanks for any advice.
Steve
-
Mar 24th, 2017, 01:15 AM
#2
Re: Password reset link question
Are you using Microsoft's Simple Membership provider? If not then that second code snippet is useless because it assumes that you are.
However you generate the token, you would append it to the query string of the link you provide in the email. When the user follows the link, you can recover the token from the query string and validate it. A membership provider like Simple Membership will do the validation for you.
-
Mar 24th, 2017, 01:27 AM
#3
Thread Starter
Hyperactive Member
Re: Password reset link question
Hello jmcilhinney
That's a start, thanks.
No, I have not used Simple Membership or any of the Membership attributes anywhere in these pages (I probably should have done so at the beginning, but it's a bit late now).
I think I understand. The token needs to relate back to these lines:
Code:
Dim builder As New UriBuilder(Request.Url)
builder.Path = VirtualPathUtility.ToAbsolute("~/newPassword.aspx")
builder.Query = "uniqueCode=" & HttpUtility.UrlEncode(uniqueCode)
Dim link As String = builder.Uri.ToString()
Thanks again
-
Mar 24th, 2017, 01:48 AM
#4
Re: Password reset link question
Assuming that that uniqueCode is your token, you need to either store that against the user or else be able to regenerate it again when that user actually tries to reset their password.
-
Mar 24th, 2017, 01:54 AM
#5
Thread Starter
Hyperactive Member
Re: Password reset link question
Yes, I have it stored here in Access in my preliminary attempts
-
Apr 5th, 2017, 06:36 AM
#6
Re: Password reset link question
Hi.
An easy way, that is used in many forums is to send the email to a page with unique code. I'm not sure about the simple membership provider since I believe it needs an asp membership database (at least that was the case in asp.net, not sure about mvc asp.net). From what I see you have your own membership database so I will provide the answer based on that assumption.
So when a user clicks to reset what you do is create a GUID and an expiration date (as you have in your database) and send the email to it. There is no need for hash as what you do is send the GUID on the page and you then mark the expiration date, a date before the expire (or a bit with used = 0 - 1) so that GUID cannot be used again. Then the page that you have send the GUID will read the querystring part (GUID) of the page and check against the database. If there is a uniquecode match then the user can change the password, else the GUID should be disabled, as mentioned before.
I nice addition would be to have the user enter his/her username, along with the password so you can make the match more easily.
Be sure to have the page redirect to some login page if there is no GUID or and empty querystring to avoid hack attempts and showing a page that do not need to show but only on pass reset by email.
So --> email send --> page get's GUID through querystring read--> user enters username and new password --> reset and disable GUID.
ἄνδρα μοι ἔννεπε, μοῦσα, πολύτροπον, ὃς μάλα πολλὰ
πλάγχθη, ἐπεὶ Τροίης ἱερὸν πτολίεθρον ἔπερσεν·
-
Aug 22nd, 2019, 01:40 PM
#7
Junior Member
Re: Password reset link question
Hi Steve
I was using your example as a base example for something that I was doing.
-On the reset page-
Code:
IMPORTS SYSTEM.NET.MAIL
Protected Sub SendMail_click(ByVal sender As Object, ByVal e As System.EventArgs) Handles btnForgot.Click
Dim EmailValidate = EmailCheck(Me.UsersEmail.Text) 'VALIDATE EMAIL '
Dim uniqueCode As String = Guid.NewGuid().ToString("N")
Dim builder As New UriBuilder(Request.Url)
builder.Path = VirtualPathUtility.ToAbsolute("~/Public/VerificationPage.aspx")
builder.Query = "uniqueCode=" & HttpUtility.UrlEncode(uniqueCode)
Dim link As String = builder.Uri.ToString()
Dim msg As System.Net.Mail.MailMessage = CreateMessage(link)
msg.IsBodyHtml = False
Dim smtp As New SmtpClient
smtp.Send(msg)
End Sub
Private Function CreateMessage(ByVal link As Object) As System.Net.Mail.MailMessage
'Const ToAddress As String
Dim ToAddress = Me.UsersEmail.Text 'TO
Dim md As MailDefinition = New MailDefinition()
md.BodyFileName = "~/Recovery.txt"
md.CC = "YOURADDRESS@ME.COM"
md.From = "FROMADDRESS@ME.COM"
md.Subject = "RECOVERY"
Dim replacements As ListDictionary = New ListDictionary()
replacements.Add("<%To%>", ToAddress)
replacements.Add("<%Verify%>", link)
Dim fileMsg As System.Net.Mail.MailMessage
fileMsg = md.CreateMailMessage(ToAddress, replacements, Me)
Return fileMsg
End Function
--On the verification page/ Must be in the root folder public facing --
Code:
Protected Sub Page_Load(ByVal Sender As Object, ByVal e As System.EventArgs) Handles Me.Load
If String.IsNullOrEmpty(Request.QueryString("uniqueCode")) Then
Me.statusMessage.Text = "The USER ID was not found."
ELSE IF
Dim tmpValue1 = Request.QueryString("uniqueCode") 'VALIDATE AGAINST YOUR DATABASE
End If
End Sub '
-
Aug 22nd, 2019, 01:40 PM
#8
Junior Member
Re: Password reset link question
Posting Permissions
- You may not post new threads
- You may not post replies
- You may not post attachments
- You may not edit your posts
-
Forum Rules
|
Click Here to Expand Forum to Full Width
|