My client requirement for the password recovery is,
when user enters his email/username, system will email him a unique link. In users email, when the user will click the link,
system will take the user to the change password page. User will type a new password and his password will be changed.
Any idea how to do this??
Right now the change password page is only accessable for the logged in users. How do I let a user in to the page by a external link click?
This is a kind of a "Password change process":
Create a database table with the userId, createDate, closeDate, and a UUID
send the mail with a link to your page that has the uuid from the prcoess database table
if the user enters the page you check if the process is still open (closeDate is null)
user can change password
you set the closeDate
First check the user Email IF it exists then send him/her a unique email of the link
Example:
link : http:\\www.abc.com\passwordrecovery.aspx?ID="+Guid.NewID()
In this way you will send a unique email to every user also store this ID in the user table so when the user click the link you will be able to verify sender.
On your Password Recovery Page Check the value of Query String variable ID
and matched the ID of the user in the database if they are equal then show the password page of the required user.
Hope you understand it.
In your link use a unique indentifier as the query string. Intercept the params on your page load event and look in the database if there is a match.
Related
I want to make a password reset functionality for protected pages in Wordpress for non logged in users.
The email of these people is stored in our database, and the page has a default random password.
Based on their e-mail address which they type in in a login form, if that email address is found in our database,
they would receive an email with a reset link to that email address, which would point to a password reset page, where they could do the change.
Is this possible in Wordpress in a way that is secure too. How would I go about it?
Yes it is possible using the below 15 steps...
Create password reset page with input for user email address
Post user email address to same page
Query database table to to verify email address belongs to a registered user
Create random string of characters, recommended 32 characters long
Store random string in database table
Create password reset URL
Password reset URL should direct to password reset page on your site
Include the random string as a query parameter in the password reset URL
Include the user email address as a query parameter in the password reset URL
Email password reset URL link to user
When user click on the password reset URL link it will open the password reset
page
Capture the random string and user email query parameters
Query database table to to verify email address belongs to a registered user
Crosscheck the the random string query parameter associated with the verified email address against the value stored in step 5
If match, proceed to allow user to change password value
Given the following scenario:
I have an email address.
I want the owner of that email address to click on a link that I send to him by email.
The page that I want the user to visit must be protected by a password, this password can be included in the mail that I send to him.
The site that the user is interacting with is using the simple membership provider for the regular users, but I don't want to use that system for this special one time visitor, as it leads to more tasks administering and cleaning up.
What are my alternatives?
When you send the email to the user, generate a random password and save it in the table against the email address. You will also store some unique id that you will pass it to the link you provide in the email. This unique id in the url will be used to identify the email address and also the one time password (OTP). It is also better to have an expiry date for the password. So your database table will have the following columns.
Unique Link Id
Email address
One Time Password
Expiry Date
That's it. When the link is clicked, access the unique id, ask OTP to the user and validate.
I am making a project. In that project first page is Login page.
In Login page, user'll enter user Id and Password, if match, page will redirect to second page.
In second page there is a hyperlink to go to third page.
In third page I want to show user's all the details like- firstName, lastName, emailId, mobileNumber, password etc.
My doubt is how to carry userId and Password from first page to third Page.
Please Help me.
Thanks in advance.
Save the user name and ID not the password, you don't need to save the password because it's not a good for security.
Go through this, it'll help you.
http://msdn.microsoft.com/en-us/library/system.security.principal.windowsprincipal(v=vs.110).aspx
You can use the WindowsPrincipal class to save the user credential it's save the user name and ID not the password, you don't need to save the password because it's not a good for security.
http://msdn.microsoft.com/en-us/library/system.security.principal.windowsprincipal(v=vs.110).aspx
Use cookies or session , will help you for both authentication and for what u mentioned here
http://www.w3schools.com/ASp/asp_cookies.asp
http://www.codeproject.com/Articles/32545/Exploring-Session-in-ASP-Net
You can store userId in Session or cookie on login success and get it on required page.
Do not store password in session or cookie as it may harmful from security point of view.
I suggest you to refer asp.net state management.
http://www.codeproject.com/Articles/492397/State-Management-in-ASP-NET-Introduction
http://www.codeproject.com/Articles/331962/A-Beginner-s-Tutorial-on-ASP-NET-State-Management
The way you are redirecting to Second Page from Login Page, just redirect directly from Login to Third Page.
Also, while checking login details, if user is an authenticated one, keep User ID in Session, so that you can easily retrieve logged in user's all details using that User ID.
In your login page check username and password is valid or not
if valid then create a session of userid for e.g Session["userid"]=userid
now in your third page you can get users firstname,lastname etc from userid
E.g:
int userid =Convert.ToInt(Session["userid"]);
var userDetails = GetUserInfomationfromid (userid) // here you can get user infomation from userid
if you want to read more about StateManagement in ASP.net
http://www.codeproject.com/Articles/492397/State-Management-in-ASP-NET-Introduction
For Password Recovery my vb.net application send an email to the user with a link in the following format.
http://<password-reset page url>?id=<userid>&tpr=<times Password Reset>&time=<time when the link was generated>
Times Password Reset is the number of time the user has used a password reset link to reset the password. It's value in the database and the value in query string are matched. To ensure the same password reset link cannot be used twice to reset the password.
Time is use to check that not more than 24 hours have been passed before the link is used.
And userid is used to identify the user.
If all the conditions matches, the user is prompted to change his/her password.
All the fields in the in the encrypted with AES.
I wanted to know if this method is secure?
Quick answer: No.
Forget all the parameters you use in the URL. Just generate one random, non-guessable string (UUID for example) and put it in the URL as parameter. Then send that URL to the user via the email adress you have stored for him. Store the UUID together with all the parameters you have in your URL now in your database. When the user clicks the link, validate all parameters (timestamp, and so on) and let him set a new password.
Se also the OWASP Cheat Sheet on Password Reset.
I am developing an ASP.Net application that will need to verify that the user is legit and not a spam. Once the new user enters their first name, last name, email address, my application will send an email to verify the user's authenticity. The email would conatin a link that would confirm the users account.
I am looking help on what the logic is behind the email link. Once the user clicks the link, what happens?
I have had a website that has used Captcha, and not had much luck stopping spam (I know you can't stop 100% spam) similar to this Stopping spammers from creating accounts (reCaptcha not doing the trick)
As Rook has pointed out below, the simplest way is to use Captcha.
If you need to verify the email as well though, see below.
You could generate an approval GUID and pass it to the email URL which would mark the User as Active.
For example, add a column called ApprovalID to the users table and generate a new GUID when the user registers, i.e.
You should mark the user as inactive at this stage.
Example Guid 3F2504E0-4F89-11D3-9A0C-0305E82C3301
Then pass the User Id and GUID in the email body
Verify your account
Then a simple page verify.aspx
Code Behind
string UserId = Request[UserId].ToString(); // You can parse these as Guids
string ApprovalId = Request[ApprovalId].ToString();
TODO:
// Get user from database
// Match QueryString ApprovalId to Column ApprovalId
// Ask user to Log In
// Set user as active
Sending a confirmation link doesn't do anything to stop spam. Emailing someone a link with a Cryptographic Nonce just insures that they can receive email, bots can also receive email.
The best way stop spam is by using capthca, and I recocmend using reCapthca. You should prompt the user with a capthca when a user signs up for your service.