Got this site with UN/PW set via the Createuserwizard control.
Client considers PW too large of a barrier to entry and wants to get rid of the password requirement but still have accounts so users simply log back in with emaill address only.
I want the quickest fix possible where I use the same provider and control but just use the same static PW for all users on signup, then sort of enter it for them when they "log in" if they return. Works like a cookie basically but has an actual login.
Problem is the Createuserwizard.Password property is read only. Can I do AutoGeneratePassword= true and force it to generate the exact same password every time?
For what it's worth, this is a simple, no secure data, basically not much stored kind of site. Lets not get into whether the req makes sense though, and the implications of this - I probably agree with you :)
Bla, bla, bla lots of stuff you probably agree with... and now to the point:
Just ditch the CreateUserWizard and call MembershipProvider.CreateUser directly. You will have to throw in a few textboxes for the email and stuff instead of the createuserwizard but it should be a walk in the park. For the login, just drop the login control too and add a textbox for the email and a "login" button. Then in code-behind call MembershipProvider.ValidateUser with the email and hardcoded password, and if it returns true (meaning the user exists) you just call FormsAuthentication.SetAuthCookie followed by FormsAuthentication.RedirectFromLoginPage and the user is logged in.
Related
I need a functionality to change umbraco member password programatically.user can add their new password in the field I had set on umbraco node.and when they publish the node new password will come in effect.I had find a way to change current password to given one
member.ChangePassword(oldPassword, password);
But this requires oldpassword to work.and I cant provide it as user has already changed old password in the umbraco node.then I tried to get old password programatically.
string theUserPassword = Membership.GetUser(username).GetPassword();
but this also throws an error
Password Retrieval Not Enabled.
Is there any way to get old password programatically?Or Am I going in the wrong direction?
Umbraco uses the Microsoft Membership Provider.
You probably have set the property "EnablePasswordRetrieval" to false.
If you don't know the password but need to change it, you can reset the password bij using the ResetPassword method.
I know this is an old post and an answer has already been accepted, but you can actually achieve what the OP wants to do by using the return value of the ResetPassword method for the oldValue parameter of the ChangePassword method:
member.ChangePassword(member.ResetPassword(), "New Password")
This allows you to change the password for a user to a specific value without knowing their existing password.
Another option to an old question:
I am using Umbraco 7.2.4 and here is how I change the password.
var member = Services.MemberService.GetByUsername("username");
Services.MemberService.SavePassword(member, "new password");
Where "Services.MemberService" is from ApplicationContext.Current.Services.MemberService.
The first line of code is where you get the member for which you want to change the password. This can also be done by email or id.
Services.MemberService.GetByEmail("email")
Services.MemberService.GetById(id)
The second line is where you change the password. It is automatically hashed.
I need to force users to change password at least every 30 days. How to start with it? I noted in database that table users has column credentials_expire_at and when it's set to past date such an user can't login and I thought of allowing password change in login form when message of expiration detected.
You need to do it in this way:
Create EventListener to onSecurityInteractiveLogin event
Check the date
If it fails redirect to change password form
Look at this coderwall protip: http://coderwall.com/p/cfmbaq
I am kind of new to ASP.NET.
I wonder is there any way to restrict user can only enter from a specify page?
Like, I have a Page A to let them enter some information, then when submit, I will use Response.Redirect to Page B. But I don't want the user can go into Page B directly from URL....
If I use Session, then if the user didn't close the browser to end the session, the another user can just go into Page B directly...
Because the computer that access to these pages is using by the public, so I want to see if there is anyway to make sure they only do one way process? Can't go back to previous or jump to another page.
Thanks in Advance.
If you control the other page, start a session and set a session variable to a value that can be reversed that only your server could (or should) create, much like serial keys. For example 72150166 because the sum of every second number equals the sum of every other number (7 + 1 + 0 + 6 = 2 + 5 + 1 + 6) but you could choose an algorithm as complex or as simple as you want. When the user navigates to the second page, check the session variable. This is not invincible security, but it is better than checking the referrer (especially since some browsers do not set it) and I imagine security based on coming from a certain page doesn't have to be that strict.
Edit: You should also add it to a database and link it with the particular user's IP so someone else can't use the same key.
You can use Request.UrlReferrer property in the Page Load of PageB to see which page is the request coming from. If the request is not coming from PageA then redirect the user to PageA.
Check this link for more information: http://msdn.microsoft.com/en-us/library/system.web.httprequest.urlreferrer.aspx
Note: UrlReferrer is dependent on a request header and someone can set the header to mimic the request coming from PageA.
You could have the page that redirects send some sort of specifically generated hash/key in the query string that expires quickly and/or once viewed. This should be a lot more solid on the security side.
You will still need some way to store this key or value producing the hash so you can validate it on the receiving end- I would think your DB.
For a Web Application I'd like to generate an email validation link and send it to the user. Like on many public websites, the user should click it to validate his email address. Looks similar to this:
http://www.foo.bar/validation?code=421affe123j4h141k2l3bjkbf43134kjbfkl34bfk3b4fkjb43ffe
Can anybody help me with some hints about the proper generation of those validation tokens? Googling best practices turned out to be more difficult than I though it would be. The links should:
... not require the user to log in first.
... not reveal any login credentials to keep the application secure
... allow me as a developer to efficiently validate the token. I'm pretty sure I need a way to extract the user identifier out of the code to meet this criteria. Don't I?
Furthermore, would you go for a random code, which is saved somewhere, or a generated code which I can recalculate for validation?
Thanks for any replies!
Matthias
P.S. I'm working with ASP.NET 3.5, in case there's an out-of-the-box feature to perform this.
Some suggestions to get you started:
Use GUIDs
Use some sort of salted hash (MD5, SHA1, etc)
Use a random string of characters (the more characters the less likely you'll have collisions)
Store it in a database temporarily, and timestamp it so that it expires after a certain period of time
The simplest way to do it is generate a GUID, store that in the database tying it to their user account and then give them a time-frame within which to click a link with that GUID in.
That validates they are the correct person without making the URL calculable whilst making it resistant to dictionary style attacks.
I construct the hash in a way that can be re-created:
code = MD5( my_hash + user_email + register_timestamp )
Then send a link to http://example.com/validation/?code = 4kj34....
Validation does a lookup like:
SELECT id
FROM users
WHERE
MD5( CONCAT( my_hash, user_email, register_timestamp ) ) = code
AND activated = 0
If you get a single result, update their 'activated' field and sign them in. You can also do some math on their 'register_timestamp' field for a poor man's TTL
I would probably use a Guid. Just create a Guid (by calling Guid.NewGuid()), store it as the validation token for that user, and include it in the validation link.
I have an interesting problem, I am writing a password management webpage/service and I am trying to find a way to determine when a user's password is going to expire so I can manually reset their other passwords with it and send out an email, etc.
The problem I'm having is that when trying to loop through my users I'm getting the bulk of them not having a pwdlastset attribute so I can't determine when it's going to expire.
So I guess I am looking for ideas on a good way to check for when a user's password is going to expire aside from using the pwdlastset property and calculating the time left.
Thanks a bunch.
It's actually quite a bit more complicated than you might think at first...
in order to know how long a password can be valid, you need to read a "domain policy" and find out that way
Then:
if the user has the "UF_DONT_EXPIRE_PASSWD" flag set in his "userAccountControl", his password will never expire
if the "pwdLastSet" value (a "ADSLargeInteger" or Int64 value, which is rather tricky to read in the first place) is 0, the user will have to change his password the next time he logs on
if the "pwdLastSet" value is -1, the password has never been set
only if none of the above are true, then the "pwdLastSet" value contains the date when the password was last set, to which you can add the "MaxPasswordAge" from the domain policy, and this will give you the date when the user's password is going to expire
Phew! Did you think it would be this tricky? :-)
Marc
PS: If you're serious about .NET based AD programming, you ought to have this book:
The .NET Developer's Guide to Directory Services Programming
The book contains all the goodies like determining user's password expiration dates, determining user account lockout state and much much more - highly recommended! Joe and Ryan did an outstanding job getting all this information together and explaining it so that even an average Joe programmer like myself can understand it :-)
As far as I know, if pwdlastset is zero or missing, the user is either required to change their password at the next logon or their account is setup with a non-expiring password. Could this be the cause of what you are seeing?
Here's another approach:
public static DateTime GetPasswordExpirationDate(UserPrincipal user)
{
DirectoryEntry deUser = (DirectoryEntry)user.GetUnderlyingObject();
ActiveDs.IADsUser nativeDeUser = (ActiveDs.IADsUser)deUser.NativeObject;
return nativeDeUser.PasswordExpirationDate;
}
You'll need to add a reference to the ActiveDS COM library typically found at C:\Windows\System32\activeds.tlb.