Secure Login Controls

Stuart Ferguson · May 14, 2006

I am currently implementing a change password screen in my site and wish
to send an email back to the user saying the password has been changed
but not send the new password in the mail, i was looking to implement a
form of confirmation and was wondering if anyone had any examples of how
to perform this.

Many thanks in advance

Stuart

Mark Rae · May 14, 2006

and was wondering if anyone had any examples of how to perform this.

Google is your friend:

http://www.google.com/search?source...:2005-48,GGLG:en&q="System.Web.Mail"+SendMail

Or, if you're using v2:

http://www.google.com/search?hl=en&...G:en&q="System.Net.Mail"+SendMail&btnG=Search

Galin Iliev [MCSD.NET] · May 14, 2006

you can create mail template in file and pass it to RecoverPassword
control
in the template you can write some placeholders that will be replaced
with username and password

this is part of code in system.web.dll that perform replace

dictionary1.Add(@"<%\s*UserName\s*%>", userName);
dictionary1.Add(@"<%\s*Password\s*%>", password);

these are the templates for them

it is up to you if you will include password in your template

I hope this helps
Galin Iliev[MCSD.NET]
www.galcho.com

clintonG · May 15, 2006

We have three choices and only three choices when using 2.0 Password
Recovery:

// Choice...
1.) Store and send the password as clear text
2.) Hash the password when stored in the database
3.) Encrypt the password when stored in the database

// Results...
1.) Should be out of the question for obvious reasons
2.) There is no way to send the current password. A new password will be
generated and sent using the MailDefinition configuration settings.
3.) The password must be decrypted and can be sent as clear text or mailed
as an encrypted querystring value in a link that sends the querystring back
to the page where it can be decrypted on the server. (this latter approach
is one I am considering at the moment)

I'm working my way through all of this myself right now. Its time consuming
to do all the study but it must be done to understand what is going on and
which decisions to make,when and why.

It is not easy at all to put together an elegant login, change password,
password recovery strategy that remains robust. There are several "gotchas"
that have to be discovered and then resolved using some type of compromise
that still requires us to write code to refine what the controls do not
support OOTB.

<%= Clinton Gallagher
NET csgallagher AT metromilwaukee.com
URL http://www.metromilwaukee.com/clintongallagher/

Script to send email not working	1	Apr 10, 2023
Problem with a login script, SESSION user rights and put this together so it works with the other pages and MySQL. Code examples.	2	May 5, 2023
secure login	1	Jul 18, 2006
Login Redirection	0	Sep 24, 2010
Authenticating a user by secure login	2	Feb 1, 2005
Secure Folders	2	Aug 17, 2007
Script works fine on test server but not on production server	3	Jul 23, 2020
Login Controls - Force user to change password at next login	2	Oct 30, 2006

Secure Login Controls

Stuart Ferguson

Mark Rae

Galin Iliev [MCSD.NET]

clintonG

Ask a Question

Similar Threads

Members online

Forum statistics

Latest Threads