Can I use the asp.net 3.5 Password Recovery control in an MVC application?
We need to provide password retrieval capability for our MVC app and I would like to use the password recovery control which only works with a web form app.
Unlike Login and Logout, the Password Recovery feature does not come implemented in a brand new ASP.NET MVC project, however, adding this feature to an ASP.NET MVC project is actually pretty easy as the Membership class already has the core functionality built-in.
I've posted in my blog an explanation on how I did it:
http://www.hectorcorrea.com/blog/Password-Recovery-in-an-ASP.NET-MVC-Project.aspx
A couple points on the current state-of-the-art (as of Oct, 2011):
1st: there's a good chance you don't actually want password "recovery" since it's considered a security risk and you have to turn-off one-way password encryption to be able to implement it. Instead, most people implement password "reset".
If you really do want to allow "recovery" then:
1) When you create a new internet project in VS2010, it creates: LogOn, Register, and ChangePassword pages for you. As Hector says, there's no password recovery created for you.
2) However, the Asp.Net Membership provider does support it, so you could add it by creating a Model, Controller and View yourself, setting enablePasswordRetrieval="true" and passwordFormat="Encryted" and calling Membership.GetUser().
If instead of password "Recovery" you actually want password "Reset" then there are a couple of ways to implement it:
i) Self-service - where the user can click on a link and an email is sent to them with a link to reset the password.
Examples:
This one I have tried. I like it because it handles both account confirmation and password reset:
-- http://nuget.org/List/Packages/SimpleMembership.Mvc3
I have NOT tried any of these:
-- http://hectorcorrea.com/Blog/Password-Recovery-in-an-ASP.NET-MVC-Project
-- http://stevenalexander.posterous.com/expiring-password-reset-token-in-mvc-with-wf
-- http://forrst.com/posts/ASP_NET_MVC_3_C_Password_Reset-gFA
ii) Administrator Managed - you contact the administrator who then reset's your password for you. TroyGoode's MvcMembership Starter Kit that Gthompson83 refers to above is an example of this. There's a menu item called "User Administration" that's accessible to administrators and allows passwords to be reset or a random one generated and emailed to the user. It also let's you manage roles.
A lot of server controls from Webforms will not work on MVC as designed. Check out the MvcMembership starter kit.
Related
For my new website, I am using a custom login.aspx (simply two text boxes username and password with a button). Actually I don't know about authentication modes in ASP.NET. Do I need to specify any mode in my web.config?
What are the security issues related to this?
Any links to articles related to this will be appreciated.
Have a look at ASP.NET Identity. This is the way to handle authentication/authorization in ASP.NET these days.
Start reading the introduction on the asp.net site and a lot of thing will become clear.
Just a login.aspx page will bring you nothing, since there's a lot more involved then just username/password checking. You need to store usernames/passwords, encrypt things, handle cookies (persistent or not), handle autorization, maybe some registration or roles etc etc.
All this things can be done with ASP.NET identity. If it's a new website, in VS2013, Individual User Accounts authentication is on by default when creating a new ASP.NET web project. There's a lot of boilerplate code in the project template to get you up and running...
http://asp.net/identity
Anyway thanks for your suggestion. I am using 'Scrypt' based hashing. Form authentication seems easy but its difficult for me to manage cookies, user tables etc. I use User table for many other purpose also.
This method gives me a good control over everything even if its difficult to get coded.
I am working on a project of developing a web UI. The project requires .NET implementation. I currently published the website on Windows server 2008 with IIS 7.5 for testing. The project asks for and login/out page as the entrance to the main UI. The login/out page should asks for username and password with some security questions. And it also enables user to change and save the password. The authentication technique has to be implemented using digested authentication.
I have already tested the digest authentication after enabling it in IIS. It works good with popping up a window asking for the username and password.However, I have a doubt whether the digest authentication allows for customized login/out page and ability of changing and saving the password (which will most likely be realized with form authentication to the best of my knowledge). I believe there might be (or not?) some ways of doing it, anyone can guide me to some references or sample codes?
Try this article: http://www.eggheadcafe.com/articles/20030701.asp
And maybe this one: http://msdn.microsoft.com/en-us/library/Ee817643%28pandp.10%29.aspx
I'm currently developing a website using Visual Studio 2010. As you all might know, creating a new website here automatically adds an Account folder which contains webpages like Login.aspx, etc. I am implementing this Login.aspx which contains the ASP.NET Login control. It's now functioning the way it should but I have a few concerns.
Before, I used to create my own UI for the log-in so managing sessions is not a problem to me. But since i'm currently using the Login.aspx which has a CS file almost empty, i don't have an idea where I can start implementing my session. Meaning to say, I don't know how to check programatically if the user has been successfully logged in so I can start implementing my session.
I would very much appreciate any pointer regarding this matter.
Thanks in advance. :)
You could subscribe for the Authenticate event and perform some custom authentication logic. Also you may take a look at the following article.
There are events associate with ASP.NET Login Control that you can use to create session like OnLoggingIn. Moreover you can find more about user validation from here Validating User Credentials Against the Membership
I need to secure my website without using the ASP.NET built in login controls or the Forms Authentication.
Its need to support "normal" users and admin users.
Any suggestion? Thanks
Well, it's impossible to build anything in ASP.NET without a tag = )
I can't tell exactly what you are asking, so I will try to go over the whole groundwork.
ASP.NET Provides Different Authentication Models
You can use ASP.NET's built in authentication with Membership and Roles
You can write your own ASP.NET membership model
You can use another ASP.NET authentication model, such as Shibboleth, Windows/IIS, and others, see JD's post.
You can skip all of these and use your own "authentication", perhaps it is stored as a simple Session variable
ASP.NET Provides Different Controls
There is a handly Login control that integrated with ASP.NET's built in membership making things very easy.
If you don't want to use that, you can simply use ASP TextBoxes, Buttons, etc, and basically create your own login form.
In adition to JD's and rlb.usa's posts you can also use opemid or windowslive id authentication perhaps. both of these have membership providers for asp.net. Checkout Codeplex for those; however if you want a truly customazieable solution perhaps its best for you as rlb.usa pointed out a simple session variable solution.
Perhaps you want to use Windows Authentication (rather than Forms Authentication) with ASP.NET? You should choose Windows authentication if your user accounts are maintained by a domain controller or within Active Directory and there are no firewall issues. I think this is what you are after. Here's a decent write up.
Umm, a quick response is for you to checkout Authentication features provided by IIS. These include Kerbros, NTLM, Basic Auth, just to name a few.
I want to add login for registered users in my website. How shall I proceed with it? Is it through the use of sessions? What will happen to the Session variable once the logout happens??
Your question is extremely broad and there are many different ways that you can implement what is, in effect, a "membership" system for an ASP.NET website.
I would suggest that you start by reading the "Introduction to Membership" article from MSDN. This article will give you an overview of how ASP.NET membership works in the most "standard" way.
It also mentions using the various ASP.NET membership "controls" (Login, LoginView, LoginStatus & PasswordRecovery for example).
Using these controls along with the built-in ASP.NET membership providers (for example, ASP.NET provides a SQL membership provider to work against SQL Server as the data store for your user accounts and credentials) will allow you to implement a complete membership and authentication system with virtually no code at all (i.e. all the functionality is provided by the built-in "membership" controls and declarative mark-up).
Finally, a really good series of articles on this subject is:
Examining ASP.NET 2.0's Membership, Roles, and Profile
from the 4guysfromrolla site. It's starts at the very beginning of the membership topic and goes right the way through to touching on the implementation of a custom membership provider and administrative interface for managing user credentials to round out the whole subject.
I'd take a look a related questions, such as
Login Membership .NET
This topic is already covered quite a lot on SO.
Session state and log in are somewhat orthogonal. You have a session regardless of whether or not you are logged in.
You should use the provided Login control and Membership system.
About Session vars, nothing special will happen. ASP.NET forms authentication does not use SessionState by default.
I would recommend using forms authentication with perhaps a custom backend using IIdentity and IPrincipal. There’s lots of information available how to do this but I think this link forms a good starting point http://msdn.microsoft.com/en-us/library/aa480476.aspx