How to implement token to reset password?

Asked

Viewed 2,202 times

3

I have an Asp.Net MVC project that I created without template (from scratch even).
I would like to implement a password recovery function, but I’m not sure where to start.

  1. What method is used to generate a secure Token that expires in one given time? And what is the best way to generate a link with he?
  2. I need to store the Token in the database or it gets "alive" in server memory for the given time?
  3. When accessing the link with Token, how to validate it?
c# asp.net-mvc

  • I don’t really like the idea of using this but take a look: https://msdn.microsoft.com/en-us/library/webmatrix.webdata.websecurity.generatepasswordresettoken(v=vs.111). aspx

  • 1

    An answer in the OS: http://stackoverflow.com/a/19036559/221800. Depending on what you are using it may be useful: http://stackoverflow.com/a/28112472/221800 Or http://stackoverflow.com/a/24211766/221800

  • I really liked that response from the O.R., but the guy won’t say what it is IdentityManager. And then you can’t move on.

  • I don’t know either, but I know that it is important in this technology: http://blogs.msdn.com/b/webdev/archive/2013/06/27/introducing-asp-net-identity-membership-system-for-asp-net-applications.aspx. and http://www.asp.net/identityidentity

  • I understood, but I would not like to install another package in the project. I think I will use the option of your first comment even. Thank you very much. I just don’t understand why you don’t like it...

  • 2

    So do it in hand, worry about all the risks and difficulties that several professionals experts in the subject had and took months or years to get into it :) What I do not like is the 1st. link only. I don’t quite know how it works but it seemed to me a beautiful gambiarra (although maybe it solves the issue in a simple way). The IdentityManager seems more appropriate.

  • Want to build a new Preview? What’s the need for this ?

Show 2 more comments

1 answer

5


First you will need a table to store the password change requests, we will call it password_change_requests and in it you will need to have the following information.

Table id (recommended to be a GUID)

User id

Time to expire

After the creation of this table your process should work as follows;

  1. On the login screen it is recommended to have a link "Forgot password?" , where the user will be forwarded to a page where he will type his login or email and will have a button "Continue".
  2. After clicking "Continue" the system will save the user id in the table password_change_requests and send an email to the user passing as parameter in the url the id of the table password_change_requests or : http://www.mysite.com/forgotpassword?ID={id of the password_change_requests table}
  3. When entering the page to register a new password the system will check if the id passed by query string exists in the table password_change_requests and if it is not running out of time.
  4. If everything is in order the user can change his password.
  5. After entering the new password you should delete this record preventing it from being used again.

  • It was exactly the alternative I could see. I was looking for something different, something native to Microsoft, but I ended up implementing it in a similar way to what you proposed. Even so, thank you very much for the answer, it is a solution to the problem. + 1

Browser other questions tagged c# asp.net-mvc

You are not signed in. Login or sign up in order to post.