In SimpleMembershipProvider that comes with ASP.NET Razor it's possible to call GeneratePasswordResetToken, then email generated token to the user's email. Then, when the user clicks on the URL, it takes them to a page to reset password.
What is the equivalent workflow in AspNetSqlMembershipProvider? Is it possible to generate a token that can then be used to reset the password?
Thanks.
Related
I am a beginner of asp.net. I currently have a login page with forgot password link button on the bottom of the screen. I am also using forms authentication to prevent an unauthorized user from accessing the other pages. The authentication seems to be working fine except for one thing.
How do I retrieve my password from the user list?
You don't want to store or retrieve the original password for security reasons - asp.net should be storing a hash of the original password in your data store. When a user enters their password again, the configured hashing algorithm should hash it to the same value as before and it matches the stored hash on the backend to authenticate.
See also Asp.net MVC - How to hash password for more background.
I want to enable Facebook authentication and the FB-Graph in my website, which already has forms authentication. Using http://multitiered.wordpress.com/2010/08/05/getting-started-with-the-facebook-c-sharp-sdk/, I was able to figure out how to login server-side.
However, the problem with this approach is that a secure cookie will not be created, since the call returns the authentication code in the querystring via a callback. This means that the user will have to login every time.
I can see two ways around this:
Store the access token in a secure cookie manually
Instead of the above approach, use the FB JS API to login - this stores a secure cookie with the access token automatically
I would prefer not to use the second approach, as I would like the login code to be server-side.
Which would be the better approach? Am I missing something?
I use the JavaScript method to first authenticate the user, the JS SDK then writes an encrypted cookie (called "fbs_[YourAppID]") when a connected user hits your page; using one of the many Facebook c# SDKs, this cookie can be decoded using your application secret giving you the user ID, oAuth token, expiry date etc.
Then I hook into the AuthenticateRequest event of my .NET application, check the presence of the cookie, decode if it found, and then find a user who has been assigned this facebook ID (your user table must have a extra field for storing the ID of their facebook account).
If a match is found, I write a normal forms authentication cookie for this user, then .NET will recognise them for all future requests. If no user is found, then this is a brand new user who has just connected. Use the SDK again to query the graph API using their oAuth token, get things like their name/email etc and create a new account, then issue a authentication token as normal.
By writing a normal authetication cookie, the user will stay logged into to your site for all requests, just as if they were a normal user.
One side point, when using email address, check for duplicates, and check for the facebook cookie in all requests. For example, an existing registered logged in user may have just connected.
I have an existing Spring application which I wish to also allow users to register / sign in through facebook.
The facebook sign-in is working fine, and is currently executed from the client using the Actionscript-Facebook API ( which is essentially a wrapper for the Facebook JS API).
However I'm unsure as to what is an appropriate approach for me to take in using the client-side authenticated session to authenticate against my own app server / session (ie., the Spring session).
In my own application, the user registers/authenticates with an email address & password.
My first thoughts in a facebook authenticated solution is to use the facebook email and secret values returned from the login call. These would be stored in my database when the user performs registration via facebook, (or specifically, a hash of secret) and using these to authenticate during login in the same manner as a regular login.
However, I'm unsure of what the secret value actually is, and whether it's a appropriate to use in this scenario. (The Facebook API seems unclear in what the return values of the login call actually mean)
Is this value bound to the user, or the session?
Does this value change, should the user change their password on Facebook?
Is this an appropriate value to store a hash of?
Finally, is there a more appropriate way of achieving this task?
I want to know more about win32 LogonUser api function. The last parameter is a token which can be used to impersonate a windows identity to execute code on a person's behalf. Say I have a login page where I enter my username, password and domain. When the user submits the page I validate the user by making a call to LogonUser() and get a token reference.
I am thinking why not store the token in a cookie and use it at a later stage (perhaps in another page). I just don't know what issues I might have to face upfront...
Can the token expire even if we don't close it properly using the CloseHandle() win32 call? Is there any article related with this particular requirement?
To authanticate users in Asp.net Membership we can call method
FormsAuthentication.Authenticate(username, password)
how can I do the same job (generate session, cookies and all other staff that Authanticate does) without users password?
I'm trying to login user over facebook connect. User's facebook id is stored within the users data. User should be signed in like a normal user.
I think you can use the SetAuthCookie method.
more info here http://msdn.microsoft.com/en-us/library/system.web.security.formsauthentication.setauthcookie.aspx