I want the following functionality when a user click on 'forgot password',
I want the user to get an email to reset his password.[(i.e.,)A password reset link to be sent] when he click on the link, A new password should be generated and sent to his email
Any idea?
Thanks
Drupal already has password reset functionality but it's not working exactly as you want it since sending passwords over email is not safe.
Instead you get a link for one time login where you can reset your password (is it safer at all?).
URL for password reset page is /user/password
Related
I am faced with a beautiful enigma. In wordpress I have a widget that allows you to login with social login (google and facebook). When you login for the first time, the system automatically generates a password and username. This works well. I checked the database and password is correctly present as hashed.
Now, the problem is that if the user goes into profile settings and wants to change their password they have to enter current password first, but they can't know it since it was generated automatically.
I would like to give the user full control over the security of his account, so that he can change his password even if he is logged in with the social login.
So I foresee three possible solutions
Allow the password to be changed without entering the current one (but it seems insecure).
Email the automatically generated password (and I have no idea how I could do it). Or alternatively view it in the user's profile but I don't know how safe it is.
Disable social login and rely on the classic registration :)
Has anyone faced a similar situation before? Can you clarify this with some standard method / practice ?
You can allow the user to ask for a new password he/she specifies. The user will specify the password twice (password and confirm password fields) and then you:
encrypt the password the user asked for
store the encrypted value somewhere as password candidate (metadata, perhaps)
send an email to the user so he/she can confirm that he/she indeed asked for a password
once the user clicks on the link you have sent to him/her, replace the value of the password with the password candidate and remove the password candidate
Don't forget that the user is already logged in when he/she changes his/her password, adding an email validation to the password he/she asked for is pretty safe.
In Visual Studio 2017, if you create a new ASP.NET Core Web Application (Razor Pages) configured to use Individual user accounts and Store user accounts in- app, the "Forgot password" flow is as follows.
User goes to login page
User click "Forgot your password?"
User enter email address and click "Submit"
An email is sent to the user with a link to reset password. This link contains the user id (Guid), and a code used for reset.
User click link and is taken to the "Reset password" page.
User enter Email, Password and Confirm password and click Reset.
Password is then reset.
My question is if there is some specific reason the user is requested to enter his email in step 6, considering that the user id is already in the URL. The reset password page could look up the user by the id and not ask for the email address.
I assume it's a security-feature, in case someone intercepts the link. But intercepting the link would likely mean intercepting the email containing the link, and then the users email would be known anyway. So I feel like I am missing something.
Sounds like a security issue to me.
Even though you could look up the user id, show them their email and that would be a better user-experience; it's slightly more secure to have the user enter his/her email again with the code for reset. This way the password reset still contains something you know and something you have to authenticate the user during the password reset process. The something you know is the email address, the something you have is the reset code (and possibly the user id).
If email is not required, and an attacker somehow got a hold of the reset password information but didn't know the user's email address, the attack would be able to use the guid & reset code to reset the password.
If email is required and the attacker does not know the email address then the attacker wouldn't be able to reset the password with just the reset information (user id/code).
Password reset, isn't really used that often and doesn't really have to be the most user-friendly part of your website. Better to be more secure.
I would like that the user after clicking on the registration link sent via email (after the complete the registration form), log-in automatically without that he must enter your username and password.
How can I do?
Thanks in advance
That is a security issue. You should verify the appropriate person received the email by asking for credentials. At most, you could probably store email in local storage/cookie and retrieve it on the login page. But please dont auto login.
Is there a page already setup for a user to reset their password? E.g /user/ for user registration, /user/x/edit/ for editing your profile, is there a /user/reset/ or anything?
There is:
http://mysite.com/user/password
There is 'user/password' where you get to a page to enter your email to receive the one-time login-link.
I am developing an app which I should design a page for users who forget passwords and send email to them the new passwords. I am using ASP.NET Membership and password format should be hashed.
My problem is when sending mail has been failed, password has been changed and wow! no work can be done.
what is your solution?
You should send users an email with a link, where they can confirm password reset (otherwise you could reset passwords to other users by guessing their emails). On the linked page users would then confirm password reset (or even change it themselves).
But it's a better practice not to send passwords in any way shape or form. It's the most secure.
The process
Users request password reset by their email.
They receive an email with a link
Theyclick the link and provide a new password that gets hashed right away and stored in the system.
You could temporarily set the passwordFormat value for affected users to "Clear" in the aspnet_Membership table, assign them a password, and then work on getting the e-mail working.
Setting the aspnet_Membership.passwordFormat value to 0 changes the format to Clear text, which means it's not encrypted. It's not secure, but will allow login. After that, you can reset the password and it'll be changed back to 2 (Encrypted).
The user should change their password again, and hopefully the email will succeed.
If they entered an incorrect address, they should contact an administrator who can correct their email address.
If it is possible to tell if an e-mail is successfully sent before you actually commit the change to the database this would be a good option. This isn't always the case, but maybe it could work for your application.
Usually with my experience ASP will thrown an exception if the e-mail fails. If this happens don't do anything in the DB, if the mail goes through then change the password. That doesn't mean they will get the e-mail but you can't account for problems during travel of the e-mail anyway. The option above would apply after this fails. ;)
I don't know the support for such a feature in asp.net.
But, some website send you an email with a link to click (that expires in some days). Clicking which, will make sure you are committing to that action (i.e. password is changed only after they receive email & click the link they received).
ASP.NET also supports the question and secret answer approach to password recovery if email doesnt work.