Can I reset a password or remove a username?

[AAaron123]

If a user gave an incorrect the email address or forgot the answer he gave
to the specified question, I like to be able to reset the password.

If that is not possible, I'd like to be able to remove the Username so he
can re-register and use the same name.

I know about System.Web.Security.Roles and am hoping there is something like
that for password or user but can't find it.




Thanks

 

[Gregory A. Beamer]

If you are using ASP.NET membership, you can exercise full cotrol over the
objects. You can even give the user full control to fix his problem,
although I would not recommend it if he forgot everything, as that is a
security hole wide enough for a novice hacker.

If you, as an admin, need to do this, Code against the Membership objects. I
will have to peruse my code base (now on DVD) and find a sample, as I have
already created a fairly simple admin page to reset a user's password.
Hopefully I can get to this in the next few days. Until then, I would do a
Google for ASP.NET Membership and start examining the objects. It is where
you will find the way to solve the problem.

One gotcha (may not apply to you, but this is a public forum). If you try to
create a common admin tool, be careful about how you instantiate the user's
object, as you can lock up their account for the duration of your session
(20 minutes after you log off).

 

[AAaron123]

Thanks for this info.

I did find ActiveDirectoryMembershipProvider ResetPassword method and
started to code against it. There seems to be some gotchas mentioned in the
docs that I don't quite understand so I'd really appreciate seeing your
code.

For example, it appears I must know the password answer to reset the
password using this method. he user may not remember this.

Public Overrides Function ResetPassword ( _
username As String, _
passwordAnswer As String _
) As String

As to Goggle: I did spend quite some unproductive time looking there. The
number of hits was very high and unhelpful. Maybe now that I know more I can
use better keywords.

Bottom line is: I like very much to see what an experienced ASP.Net
developer (you) produced.

Thanks again

 

[Hans Kesting]

AAaron123 has brought this to us :

If a user gave an incorrect the email address or forgot the answer he gave to
the specified question, I like to be able to reset the password.

If that is not possible, I'd like to be able to remove the Username so he can
re-register and use the same name.

I know about System.Web.Security.Roles and am hoping there is something like
that for password or user but can't find it.




Thanks

Be careful: if I know a username, I could hijack that account by
stating that I my e-mail has changed and I have forgotten that secret
answer.
It might not be important in your particular case, but it is something
you need to be aware of.

Hans Kesting

 

[Larry Bud]

If a user gave an incorrect the email address or forgot the answer he gave
to the specified question, I like to be able to reset the password.

If that is not possible, I'd like to be able to remove the Username so he
can re-register and use the same name.

If you're having self-registration, I would recommend that you send
out a verification e-mail to the address entered which doesn't
activate the user's account until he clicks on a link you send him.

This completely solves the issue of a bad e-mail address. If a user
enters the wrong e-mail, just have him reregister with the correct
one.

 

[AAaron123]

AAaron123 has brought this to us :

Be careful: if I know a username, I could hijack that account by stating
that I my e-mail has changed and I have forgotten that secret answer.
It might not be important in your particular case, but it is something you
need to be aware of.

Hans Kesting

In this case I could verify the person.

Thanks

 

[AAaron123]

If a user gave an incorrect the email address or forgot the answer he gave
to the specified question, I like to be able to reset the password.

If that is not possible, I'd like to be able to remove the Username so he
can re-register and use the same name.

If you're having self-registration, I would recommend that you send
out a verification e-mail to the address entered which doesn't
activate the user's account until he clicks on a link you send him.

This completely solves the issue of a bad e-mail address. If a user
enters the wrong e-mail, just have him reregister with the correct
one.




In this case I could verify the person.

Thanks

 

[Gregory A. Beamer]

I was thinking forms authentication. That is the code I have, which will not
help you here. I may have some AD code somewhere, but I annot guarantee it,
as it has been awhile since I did Intranet apps.

The main gotcha when going against active directory is you have to be using
an account with enough permissions to change the information. Many opt to
elevate the security priveleges of the website, which is a mistake.

To really use AD fully, you have to get into System.DirectoryServices, so
Google searches should be in this direction and not with the AD bits in
ASP.NET. An example of using AD to set and change passwords is here:
http://tinyurl.com/28frz4

Another option is here, if you want to use the search method:
http://forums.asp.net/t/1361779.aspx

I would hide the actual functionality behind a service front end, rather
than code this directly in the website. This will shield you from any hacks.
Even if the app is stricly internal, you would be surprised how much damage
can be done by curious users.

Hope this helps!

 

[AAaron123]

I looked at those sites an think I'm in the wrong ballpark.

What I want to do is to add a capability so that when I'm logged into my
site (that is on an remote hosting ISP computer) I'll be able to change
another user's password.

Is the AD method I sited below the way to go?

I've used Membership.DeleteUser and am hoping that changing password is as
straightforward.

I found MembershipUser ChangePassword but this seems to require me to know
the old password.

Guess I'm not having much luck finding the correct approach.

Thanks

 

[AAaron123]

I wonder if you are remember correctly. You said you
"created a fairly simple admin page to reset a user's password"

Hard to believe. From what I've seen so far you need to write a custom
membership provider or else you have to know the existing password or the
answer to the passwordQuestion.

Maybe my "fairly simple" is simpler than yours

Anyway, I think I can replace the default provider as shown below, but I
want to use the default values except when I change a password..

Can the code below be modified to produce a second provider without deleting
the default provider with requiresQuestionAndAnswer="true"?

Or do I actually have to produce a derived class?

If I do can I inherit from the default provider class?


Thanks a lot



<system.web>

?

<membership>

<providers>

<remove name="AspNetSqlMembershipProvider" />

<add name="AspNetSqlMembershipProvider"

type="System.Web.Security.SqlMembershipProvider"

connectionStringName="LocalSqlServer"

enablePasswordRetrieval="false"

enablePasswordReset="true"

requiresQuestionAndAnswer="false"

applicationName="/"

requiresUniqueEmail="false"

passwordFormat="Hashed"

maxInvalidPasswordAttempts="10"

minRequiredPasswordLength="7"

minRequiredNonalphanumericCharacters="0"

passwordAttemptWindow="10" />

</providers>

</membership