Secure Login Controls

Discussion in 'ASP .Net' started by Stuart Ferguson, May 14, 2006.

  1. I am currently implementing a change password screen in my site and wish
    to send an email back to the user saying the password has been changed
    but not send the new password in the mail, i was looking to implement a
    form of confirmation and was wondering if anyone had any examples of how
    to perform this.

    Many thanks in advance

    Stuart

    *** Sent via Developersdex http://www.developersdex.com ***
    Stuart Ferguson, May 14, 2006
    #1
    1. Advertising

  2. Stuart Ferguson

    Mark Rae Guest

    Mark Rae, May 14, 2006
    #2
    1. Advertising

  3. you can create mail template in file and pass it to RecoverPassword
    control
    in the template you can write some placeholders that will be replaced
    with username and password

    this is part of code in system.web.dll that perform replace

    dictionary1.Add(@"<%\s*UserName\s*%>", userName);
    dictionary1.Add(@"<%\s*Password\s*%>", password);

    these are the templates for them

    it is up to you if you will include password in your template

    I hope this helps
    Galin Iliev[MCSD.NET]
    www.galcho.com
    Galin Iliev [MCSD.NET], May 14, 2006
    #3
  4. Stuart Ferguson

    clintonG Guest

    We have three choices and only three choices when using 2.0 Password
    Recovery:

    // Choice...
    1.) Store and send the password as clear text
    2.) Hash the password when stored in the database
    3.) Encrypt the password when stored in the database

    // Results...
    1.) Should be out of the question for obvious reasons
    2.) There is no way to send the current password. A new password will be
    generated and sent using the MailDefinition configuration settings.
    3.) The password must be decrypted and can be sent as clear text or mailed
    as an encrypted querystring value in a link that sends the querystring back
    to the page where it can be decrypted on the server. (this latter approach
    is one I am considering at the moment)

    I'm working my way through all of this myself right now. Its time consuming
    to do all the study but it must be done to understand what is going on and
    which decisions to make,when and why.

    It is not easy at all to put together an elegant login, change password,
    password recovery strategy that remains robust. There are several "gotchas"
    that have to be discovered and then resolved using some type of compromise
    that still requires us to write code to refine what the controls do not
    support OOTB.


    <%= Clinton Gallagher
    NET csgallagher AT metromilwaukee.com
    URL http://www.metromilwaukee.com/clintongallagher/





    "Stuart Ferguson" <> wrote in message
    news:...
    >I am currently implementing a change password screen in my site and wish
    > to send an email back to the user saying the password has been changed
    > but not send the new password in the mail, i was looking to implement a
    > form of confirmation and was wondering if anyone had any examples of how
    > to perform this.
    >
    > Many thanks in advance
    >
    > Stuart
    >
    > *** Sent via Developersdex http://www.developersdex.com ***
    clintonG, May 15, 2006
    #4
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. A.M
    Replies:
    5
    Views:
    5,438
    Teemu Keiski
    Jun 8, 2004
  2. Daniel Malcolm
    Replies:
    0
    Views:
    554
    Daniel Malcolm
    Jan 24, 2005
  3. zdrakec
    Replies:
    1
    Views:
    434
    zdrakec
    Jul 25, 2005
  4. Joe
    Replies:
    5
    Views:
    958
    Steven Cheng[MSFT]
    Dec 13, 2005
  5. verbal kint
    Replies:
    1
    Views:
    546
    Sudsy
    Sep 4, 2004
Loading...

Share This Page