|
webforms or mvc? You have also posted this in the js forum so are you wanting a server-side solution or not? Don't spam the boards with multiple vague questions in the hope that something hits, be specific in what you're asking.
|
|
|
|
|
Hello
When it comes to a user who has forgotten his password while trying to log-on, for example, one way of him (not the administrator) resetting his password is to ask him to complete a field asking for his username or email, or both, and then sending him a link and 'token' to do so.
What is meant by 'token', please?
Thanks.
|
|
|
|
|
You could set a temporary password for the user, then set the password to expire immediately. This would allow the user to log into the system using the temporary password but would force him to change his password immediately.
In this case, the "token" would be the temporary password you have set for the user. The token is a randomly created string of letters and numbers.
|
|
|
|
|
Bad idea - now anyone who knows the username can lock the user out of their account by constantly requesting a temporary password.
"These people looked deep within my soul and assigned me a number based on the order in which I joined."
- Homer
|
|
|
|
|
The token is usually just a random string which an attacker wouldn't be able to guess. A GUID would be a simple example.
Make sure the token is time-limited, and is deleted as soon as the user has reset their password.
It's probably a good idea to only store the hash of the token in the database, to ensure that a hacker with read access to the database couldn't reset arbitrary accounts.
Troy Hunt has a good article which covers some of the other issues you'll want to think about:
Troy Hunt: Everything you ever wanted to know about building a secure password reset feature[^]
"These people looked deep within my soul and assigned me a number based on the order in which I joined."
- Homer
|
|
|
|
|
Many thanks to you both and for the link.
I will take a look at it now.
Would it be simpler (ie no time limit) to send a link to the user's email?
Thanks again
|
|
|
|
|
You have to send the link to the user's email. If you just display the link when the reset is requested, then anyone can reset the password for any account.
The link has to be unique for each reset request, and must not be guessable.
The link should only be valid for a short time (a few hours, or a day at most). Providing a link with no time limit makes it easier for hackers to guess the link. Make sure you store the expiration date in the database, not in the link!
"These people looked deep within my soul and assigned me a number based on the order in which I joined."
- Homer
|
|
|
|
|
Thanks again, Richard.
I came across this sample code yesterday that uses such a link:
In my log-in aspx jay time_ version
strBody.Append(("Click here to change your password")
Can I ask, is the link above generated at random
Thanks!
|
|
|
|
|
I don't know, because I can't see the code.
"These people looked deep within my soul and assigned me a number based on the order in which I joined."
- Homer
|
|
|
|
|
Sorry.
It's this:
Protected Sub btnForgot_Click(ByVal sender As Object, ByVal e As System.EventArgs) Handles btnForgot.Click
Dim ConnectionString As String = "Data Source=|DataDirectory|students.mdb"
Dim uniqueCode As String = String.Empty
Using conn As New OleDbConnection(ConnectionString)
Using cmd As OleDbCommand = conn.CreateCommand
Try
Dim dr As OleDbDataReader
'Records to match the supplied email (strEmail)
cmd = New OleDbCommand("SELECT * FROM university WHERE strEmail = @strEmail")
conn.Open()
cmd.Parameters.AddWithValue("@strEmail", strEmail.Text.Trim())
cmd.Parameters.AddWithValue("@strEmail", Convert.ToString(strEmail.Text.Trim()))
cmd.Parameters.AddWithValue("@uniqueCode", uniqueCode)
cmd = New OleDbCommand("UPDATE university SET uniqueCode=@uniqueCode where strEmail = @strEmail", conn)
If dr.HasRows Then
dr.Read()
'generate uniqueCode
uniqueCode = Convert.ToString(System.Guid.NewGuid())
End If
dr = cmd.ExecuteReader()
cmd.ExecuteNonQuery()
conn.Close()
cmd.Dispose()
Catch ex As Exception
Console.WriteLine(ex.Message)
End Try
End Using
End Using
'Update the unique random code in the uniqueCode field of the database table
Dim strBody As New StringBuilder()
strBody.Append("<a href=http://localhost:2464/SampleApplication/ResetPasswordVB.aspx?emailId=" + strEmail.Text & "&uniqueCode=" & uniqueCode & ">Click here to reset your password</a>")
SMTP code follows
I know there are some errors. It's that line with localhost:2464 that I was referring to.
Thanks
|
|
|
|
|
Member 8761667 wrote: I know there are some errors.
You're not kidding!
I don't think there's a need to pass the email address in the link; you should be able to look up the record based purely on the unique code.
Something like this should work:
Protected Sub btnForgot_Click(ByVal sender As Object, ByVal e As System.EventArgs) Handles btnForgot.Click
Const ConnectionString As String = "Data Source=|DataDirectory|students.mdb"
Dim uniqueCode As String = Guid.NewGuid().ToString("N")
Dim recordExists As Boolean = False
Using conn As New OleDbConnection(ConnectionString)
Using cmd As OleDbCommand = conn.CreateCommand()
cmd.CommandText = "UPDATE university SET uniqueCode = @uniqueCode WHERE strEmail = @strEmail"
cmd.Parameters.AddWithValue("@uniqueCode", uniqueCode)
cmd.Parameters.AddWithValue("@strEmail", strEmail.Text.Trim())
conn.Open()
Dim recordsAffected As Integer = cmd.ExecuteNonQuery()
If recordsAffected <> 0 Then recordExists = True
End Using
End Using
If recordExists Then
Dim builder As New UriBuilder(Request.Url)
builder.Path = VirtualPathUtility.ToAbsolute("~/ResetPasswordVB.aspx")
builder.Query = "uniqueCode=" & HttpUtility.UrlEncode(uniqueCode)
Dim link As String = builder.Uri.ToString()
...
End If
End Sub
"These people looked deep within my soul and assigned me a number based on the order in which I joined."
- Homer
|
|
|
|
|
Wow!
I feel as if I have been hit by Mike Tyson! What a wake up call.
It's my first attempt at it in my defence, but your code is so neat and makes easy reading even though I don't yet understand every line.
I will go through it and research a bit things I am hazy about (especially after that knockout blow!) and when it's all up and running I will post back so that you can admire your craft.
Many thanks, Richard, I am so grateful.
|
|
|
|
|
Hello Richard
Just a quick question about the code you kindly sent to me.
It concerns this line here:
Dim recordExists As Boolean = False
Is there a reason this is not 'true'? Either the user exists in the database or not. If he does, then he gets sent the link; if not, he should register. Isn't it as black and white as that?
If Boolean is set to false, doesn't that suggest that it is unimportant whether he exists or not?
Thanks
|
|
|
|
|
You need to know whether the record exists to know whether you're going to send a "forgotten password" email or a "register" email.
The flag is initially set to False because the code later updates it to True if the record was found. You could reverse that logic, but I think it makes more sense as it is.
"These people looked deep within my soul and assigned me a number based on the order in which I joined."
- Homer
|
|
|
|
|
Richard Deeming wrote: store the expiration date in the database, not in the link! Or encrypt it and put it in the link.
There are only 10 types of people in the world, those who understand binary and those who don't.
|
|
|
|
|
Thanks, Ryan
Adding a Date/Time column to Access sounds a bit easier!
But thanks for suggesting an alternative!
|
|
|
|
|
Hi All,
I am using CodeSmith NetTier generator for the my DAL generation, I have set the ServiceClassNameFormat field to : {0}Service, but still it not generating the class names with Service Suffix, as I am just maintaining the application, changing the name is giving lots of errors.
Can anybody help me in fixing this, I am in need as I am new to the CodeSmith, I am googling too, still its not of much help. Any help a suggestion or code snippet or even a link would be greatly helpful.
Thanks in advance.
Thanks,
Abdul Aleem
"There is already enough hatred in the world lets spread love, compassion and affection."
|
|
|
|
|
touch screen application in C++
|
|
|
|
|
1) Your "query" isn't a query at all.
2) You've already posted this and surprisingly had an answer that points you in the right direction
3) This isn't a C++ forum
|
|
|
|
|
Instead of posting non-questions in the wrong forum here, you should post those words into Google, and learn how to do basic research for yourself.
|
|
|
|
|
Once again: read this[^], and pay particular attention to point 2.
"These people looked deep within my soul and assigned me a number based on the order in which I joined."
- Homer
|
|
|
|
|
I want a solution for validating weakly typed model.
not by using jquery validations,angular js, not by combining all the models to a single model
i want validation to to be done on .cshtml page
|
|
|
|
|
You can surely C# code on the (cshtml) page itself. But how do you want to add the validation? It is just a collection of simple conditional check ups?
The sh*t I complain about
It's like there ain't a cloud in the sky and it's raining out - Eminem
~! Firewall !~
|
|
|
|
|
I want to develop touch screen application in .C#.i didnt develop touch screen before.
|
|
|
|
|