Forums

Skip Navigation LinksHome / Developer Network / Forums / Sitefinity Older Versions (3.x): Security > Send one time use link by email to reset forgotten password

Send one time use link by email to reset forgotten password

Feed from this thread
  • Belkacem avatar

    Posted on Jan 12, 2010 (permalink)

    Hi,

    I want to implement the following forgotten password reset :
     
    1) Prompt the the user to input his subscription mail.
    2) Send an email containing a One-time-use link (ResetForgottenPass.aspx?uniqueQueary).
    3) When the user click the link he will be redirected to the NewPassword/ConfirmeNewPassword form, so he will choose his own new password.

    This way to reset forgotten password seems to me more efficent than the Question/Answer mecanisme. 
    Let say i want to implement the same mecanisme as the "sitefinity.com" web site for forgotten password reset.

    The only idea that comes to me is to use a DB table that stores the One-time-use uniqueQueary (let say uniqueQueary = Date+GUID+Seed ), so we can ensure the link will be used just for one time from the user mailbox

    Any suggestions ?

    Thank you,

    Reply

  • Answer Ivan Dimitrov Ivan Dimitrov admin's avatar

    Posted on Jan 12, 2010 (permalink)

    Hello Belkacem,

    1) Prompt the the user to input his subscription mail.

    You need to create a custom form - it could be just a TextBox with a button "Reset" Then you have to create a custom table in your database that has the following columns = userID, UserEmail, , TimeForReset, Clicked The TimeForReset will be used to set certain time that you should give to your user to reset his/her password - say 24 hours.

    2) Send an email containing a One-time-use link (ResetForgottenPass.aspx?uniqueQueary).

    Once the link is clicked you have to set Clicked to 1 in the databse ( this is boolean type variable - true/false). If the link is clicked  again you have to check the value from the datatabase and redirect the user to another page.
    Another option is adding column in the database with the current password of your user. The password should be hashed and appended as a querystring, so that this will not make any sence to the user. On the server once you recieve the request you can decript the current password and check whether it is the same as this one stored in the databse ( this means that the user has not reset the password). If the password is the same you will forward the reqest to your NewPassword/ConfirmeNewPassword form, otherwise to another page.

    3) When the user click the link he will be redirected to the NewPassword/ConfirmeNewPassword form, so he will choose his own new password.

    Here you can use ChangePassword method of ASP.NET MembershipUser class.

    Best wishes,
    Ivan Dimitrov
    the Telerik team

    Instantly find answers to your questions on the new Telerik Support Portal.
    Watch a video on how to optimize your support resource searches and check out more tips on the blogs.

    Reply

  • Belkacem avatar

    Posted on Jan 12, 2010 (permalink)

    Hi Ivan,

    I will use this process :

    1) Generate a new Guid ( System.Guid.NewGuid() );

    2 ) Store that Guid in a DB table;

    3) Send a custom URL in an email with that Guid;

    4) When the user hits the link, make sure the Guid exists in the DB table and the timeSpan is less then 24h;

    5) If so direct the user to the changing password form, otherwise redirect to expired link page;

    I think adding the next sitefinty cms release with such a module would be great in term of password recovery.

    Thank you :)
    Belkacem Mansouri

    Reply

    • Register for webinar
Skip Navigation LinksHome / Developer Network / Forums / Sitefinity Older Versions (3.x): Security > Send one time use link by email to reset forgotten password