Recovering Lost Passwords
Recovering/resetting lost passwords is a common task that you need to perform as an administrator. The PasswordRecovery control allows users to perform this mundane task themselves by automatically retrieving the password and then sending it to the user via e-mail.
Password recovery makes sense only if you store the password as plain text and not its hashed value. However, by default, the settings in the machine.config
file specify that all passwords be hashed before they are stored in the member database. Machine.config
also disables password retrieval by default.
To store the user's password in plain text, add the following entry in Web.config
Specifically, you are clearing all the Membership Providers and then adding a new SqlMembershipProvider. Note that you need to set the enablePasswordRetrieval
) and passwordFormat
) attributes in order to allow passwords to be retrieved.
If you set the passwordFormat
, then you must set enablePasswordReset
Now drag and drop the PasswordRecovery control onto Default.aspx
and then apply the Colorful
scheme. The PasswordRecovery control now looks like Figure 17
In the Properties window of the PasswordRecovery control, set the From
fields under the MailDefinition
property as shown in Figure 18
|Figure 17. The PasswordRecovery Control. Using this control, users can recover their own forgotten passwords.||
|Figure 18. PasswordRecovery Control Properties: Here's how you configure the PasswordRecovery control in the Property browser.||
|Figure 19. Recovering a Lost Password: A user sees this sequence of screens when recovering a lost password.|
You also need to have the SMTP service configured on your machine for the PasswordRecovery control to send an e-mail. To configure the SMTP service on your machine, start WAT, choose Application, then choose Configure SMTP e-mail settings.
To test the application, press F5. You will be prompted for your user name and then your security question. If the answer to the security question is correct, the password will be e-mailed to you; otherwise you will get an error message on the page like that shown in Figure 19
For security reasons, it is not a good idea to send a user's password through e-mail. Hence, you really need to consider using this option very carefully.
|Figure 20. Adding Folders: Here's the Solution Explorer after adding a new folder to the project.|
Besides recovering lost passwords, you also need to allow users to change their passwords. In ASP.NET 2.0, you can do so using the ChangePassword control.
Since a user can only change their password after they have logged in, you will now create a new folder in your application that is accessible to only authenticated users.
You can add a new folder to your application by right-clicking on the project name in Solution Explorer, choose Add Folder, and then choose Regular Folder. Name the folder "Members." Now add a new Web form to this new folder (right-click on Members and then select Add New Item...). Name the new Web form ChangePassword.aspx
(see Figure 20
To restrict accesses to the Members folder, add the following <location>
element to Web.config
<deny users="?" />
Essentially, pages within the Members folder are only accessible to authorized users (all anonymous users (?) will be denied access).
Drag and drop the ChangePassword control onto ChangePassword.aspx
and apply the Colorful
scheme (see Figure 21
|Figure 21. The ChangePassword Control: Using this control makes it easy for you to let users change their passwords.||
|Figure 22. Changing Passwords: Users might see this sequence of screens while changing passwords with the ChangePassword control.|
To test the application, in Solution Explorer select the ChangePassword.aspx
file in the Members folder and press F5. You will first be redirected to the login.aspx
page (for authentication) and once authenticated the ChangePassword.aspx
page will be loaded. You can now change your password (see Figure 22