Login | Register   
RSS Feed
Download our iPhone app
Browse DevX
Sign up for e-mail newsletters from DevX

By submitting your information, you agree that devx.com may send you DevX offers via email, phone and text message, as well as email offers about other products and services that DevX believes may be of interest to you. DevX will process your information in accordance with the Quinstreet Privacy Policy.


Using the New Security Controls in ASP.NET 2.0 : Page 4

ASP.NET 2.0 adds many security enhancements to make building Web sites that handle passwords (for example) much easier by providing encryption features in the controls right out of the box.




Application Security Testing: An Integral Part of DevOps

Recovering Lost Passwords
Recovering/resetting lost passwords is a common task that you need to perform as an administrator. The PasswordRecovery control allows users to perform this mundane task themselves by automatically retrieving the password and then sending it to the user via e-mail.

Password recovery makes sense only if you store the password as plain text and not its hashed value. However, by default, the settings in the machine.config file specify that all passwords be hashed before they are stored in the member database. Machine.config also disables password retrieval by default.

To store the user's password in plain text, add the following entry in Web.config.

... <system.web> <membership defaultProvider="SqlProvider" userIsOnlineTimeWindow="15"> <providers> <clear /> <add name="SqlProvider" type="System.Web.Security.SqlMembershipProvider" connectionStringName="LocalSqlServer" applicationName="SecurityControls" enablePasswordRetrieval="true" enablePasswordReset="true" requiresQuestionAndAnswer="true" requiresUniqueEmail="true" passwordFormat="Clear" /> </providers> </membership> ...

Specifically, you are clearing all the Membership Providers and then adding a new SqlMembershipProvider. Note that you need to set the enablePasswordRetrieval (to true) and passwordFormat (to Clear) attributes in order to allow passwords to be retrieved.

If you set the passwordFormat as Hashed, then you must set enablePasswordReset to false.

Now drag and drop the PasswordRecovery control onto Default.aspx and then apply the Colorful scheme. The PasswordRecovery control now looks like Figure 17.

In the Properties window of the PasswordRecovery control, set the From and Subject fields under the MailDefinition property as shown in Figure 18.

Figure 17. The PasswordRecovery Control. Using this control, users can recover their own forgotten passwords.
Figure 18. PasswordRecovery Control Properties: Here's how you configure the PasswordRecovery control in the Property browser.
Figure 19. Recovering a Lost Password: A user sees this sequence of screens when recovering a lost password.

You also need to have the SMTP service configured on your machine for the PasswordRecovery control to send an e-mail. To configure the SMTP service on your machine, start WAT, choose Application, then choose Configure SMTP e-mail settings.

To test the application, press F5. You will be prompted for your user name and then your security question. If the answer to the security question is correct, the password will be e-mailed to you; otherwise you will get an error message on the page like that shown in Figure 19.

For security reasons, it is not a good idea to send a user's password through e-mail. Hence, you really need to consider using this option very carefully.

Changing Passwords
Figure 20. Adding Folders: Here's the Solution Explorer after adding a new folder to the project.
Besides recovering lost passwords, you also need to allow users to change their passwords. In ASP.NET 2.0, you can do so using the ChangePassword control.

Since a user can only change their password after they have logged in, you will now create a new folder in your application that is accessible to only authenticated users.

You can add a new folder to your application by right-clicking on the project name in Solution Explorer, choose Add Folder, and then choose Regular Folder. Name the folder "Members." Now add a new Web form to this new folder (right-click on Members and then select Add New Item...). Name the new Web form ChangePassword.aspx (see Figure 20).

To restrict accesses to the Members folder, add the following <location> element to Web.config.

... </system.web> <location path="Members"> <system.web> <authorization> <deny users="?" /> </authorization> </system.web> </location> </configuration>

Essentially, pages within the Members folder are only accessible to authorized users (all anonymous users (?) will be denied access).

Drag and drop the ChangePassword control onto ChangePassword.aspx and apply the Colorful scheme (see Figure 21).

Figure 21. The ChangePassword Control: Using this control makes it easy for you to let users change their passwords.
Figure 22. Changing Passwords: Users might see this sequence of screens while changing passwords with the ChangePassword control.

To test the application, in Solution Explorer select the ChangePassword.aspx file in the Members folder and press F5. You will first be redirected to the login.aspx page (for authentication) and once authenticated the ChangePassword.aspx page will be loaded. You can now change your password (see Figure 22).

Wei-Meng Lee is a Microsoft MVP and founder of Developer Learning Solutions, a technology company specializing in hands-on training on the latest Microsoft technologies. He is an established developer and trainer specializing in .NET and wireless technologies. Wei-Meng speaks regularly at international conferences and has authored and coauthored numerous books on .NET, XML, and wireless technologies. He writes extensively on topics ranging from .NET to Mac OS X. He is also the author of the .NET Compact Framework Pocket Guide, ASP.NET 2.0: A Developer's Notebook (both from O'Reilly Media, Inc.), and Programming Sudoku (Apress). Here is Wei-Meng's blog.
Comment and Contribute






(Maximum characters: 1200). You have 1200 characters left.



Thanks for your registration, follow us on our social networks to keep up-to-date