Could someone explain to me how to send a verification email, without using asp.net usercreation wizard, i want it so that when the email is sent, it will contain a url link to activate an account
First Add a field to Users table called RegisterGuidId with type uniqueidentifier
Second after registration send a normal email to user with link to your activation page with new generated RegisterGuidId
Third after user redirected to you activation page use the generated guid to get user data from database
Basically what you need to do is, when the user registers generate a hash that is specific to the user (ideally something that can't be predicted by the bad guys) -> send this hash to the email that the user provided.
If you get a request with the url/hash that means he verified his account.
That's the basic idea anyway.
Related
I am designing some Forgot Password functionality in an ASP.NET application, and had a question about the best way to secure the endpoint where a user can reset their password.
How I imagine this to work is (roughly) the following:
User clicks 'Forgot Password' on the login form
User is taken to a screen where they will enter their email associated with their account
User is then taken to a screen where they can answer some security questions (required by my company)
After answering questions correctly, the user will be sent an email containing a link.
User clicks the link in their email which will take them to a password reset form
My question here is, how can I ensure that when someone arrives at this password reset form that they arrived there from clicking on that email link, and didn't just manually type in the URL to get there?
One solution I've thought of was to encrypt some data and append it as a parameter in the URL inside the email. So when they click that link, I can decrypt the data and ensure it came from a valid email before serving the form. But I'm not sure the best way to go about this.
A solution consists of creating a token that can be used once on the reset page. You send by email a link similar to https://example.com/PasswordLost?token=467dc4ad9acf4, then the site checks that the token is valid and displays the password change page. To add more security it is possible to limit the validity of the token in time: about ten minutes are largely sufficient. Once in use, the token should no longer be usable.
There are many ways to generate the token. You can generate a random string and store it in a database with the associated email address and the expiration date of the token. Then, you can validate it by querying the database. The other solution that I prefer, is to generate a token that is ciphered by the server. Then, you can decipher it and validate the data it contains (user email and expiration date, last password changed date). This way you don't have to store anything on the server. This is what ASP.NET Core Identity does.
You can read my blog post about how to implement Password reset feature in a web application? for more information.
I have a form in my asp.net site. when user fills email id text box, I want to make sure whether that email id is valid or invalid(existing or not existing).
Ex: john#gmail.com is valid,
john#xxxyyy.com is not valid.
How to find it whether it is valid or not. please help me. I searched some stack overflow. even though I didn't get.
There is no way to for you to know if an email account actually exists other than to send an email and see what happens. A delivery failure notice might be sent, but that is not guaranteed to be sent, and even if it is, it might not be sent for days depending on how many delivery attempts are made.
You can send a verification email which contains a URL of a web service you control and passes a unique ID. The email owner clicks on the URL and is directed at your web service. You look at the unique ID and now you know the email address exists.
https://emailhunter.co/api/docs#email-verification - is a web service API to check email addresses
try to create an email id in mail server. if exist it will return an existing mail return message.
You could use the built-in Microsoft SmtpClient Class if you know the adress of your SMTP server. The Send Method returns an exception when the delivery fails. Again, this is only a suggestion and perhaps too overwhelming for what you need, but this class is rather useful in C#.
Send one link on that email address with some query string parameters and based on those parameters activate their user profile otherwise not activate..
So based on this methodology, you can verify email address is valid or not.
I'm building a sign-up / login flow for a web site. I plan to use Facebook as my identity provider instead of rolling my own.
I have a good feel for the server-side login flow with Facebook:
Call FB login API to get a code
Exchange the code for a user access token
Inspect the user access token
Validate the user access token details
After these steps, I'd like to check if the authenticated user is already registered in my system. If yes, simply return a newly generated bearer token, so the user can make subsequent requests to resource servers to access protected data.
If the user is not registered in the system, however, then I'd like to register them by creating a database entry. Before creating this entry though, I'd like to collect one piece of information from the user. Namely, I'd like for them to tell me their desired 'username'. I will use this unique username as my database primary key.
I'm not 100% sure on how to securely ask the user for their desired username before creating the database entry. This is my question. :)
One thought I had was to create a "redemption code". This code would be encrypted and contain the user initialization details, a secret only the server would know, and a timestamp. Something like this:
code: {
mySecret: "super-secret-value",
expirationDate: "date-value",
user: { ... },
}
After seeing the user is not in my system, I'd respond with the code + redirect the client to a page where they'd be able to specify their username. Upon submitting their username + code back up to the server, I could decrypt the code, and validate mySecret to determine the code is not tampered. If all is good, create the user in the database with the user information from the redeemed code. Lastly, I'd generate a new bearer token for the user and send it to the client.
Questions
Is my proposed redemption code strategy a secure way of requesting a username before creating the backend DB entry?
If not, what would be?
If yes, what is a secure encryption/decryption routine to use for this purpose in C#?
Flow Sequence
Steps 1-4 from above correspond to "Login" through "Validate" arrows.
My proposed redemption code strategy corresponds to the purple arrows.
Red text corresponds to Facebook specific nomenclature.
Note, Stack Overflow does something very similar to what I want to do. Before creating your account on SO, it will ask you for your desired Display Name (this happens after authenticating via Facebook, Google, etc.). After submitting your display name, your account is registered.
Use open source IdentityServer3.
Whatever flow you choose its already standardized in their server. Including (if you want or need) OpenID, OAuth2 etc.
I have setup a quick page to accept an email address which will send an email to it which will later contain a link to reset password or a new temporary one.
My project is a new ASP .Net MVC project using Identity. I thought the best way to reset it would be to send a link to the email which when clicked allows the user to enter a new one but then I'm not sure what to put on the page the link is directed to, to allow this functionality and keep the site secure.
Is it simply easiest in this case to send a new temporary one?
This was too long to fit in a comment so hopefully I don't get downvoted without actual code examples :O
A common solution that I've seen:
When a user requests a password reset, record a guid/random hash and expiration datetime to the user's information in your user store (db most likely).
An email with a link to a temporary page is sent to the user's email address on file (this solution does require a valid email address).
Once the temporary page is hit, the link can be set to immediately expire (set the expiration date to datetime.now, or remove the guid/hash from the user info, etc).
This temporary page URL would likely have the guid/hash for the recorded user in the query string, so it should be pretty hard to find without having the link in the email. For added security, the user can be required to put in the username/email that requested the password reset (as there should potentially be no mention of usernames/passwords on the page. Once this validation is done (or not) give the user the appropriate fields to reset their password.
Another final note on the "forgot password link" don't provide any information on whether or not a username "does not exist" as this can give the potential of finding valid user names on your site.
EDIT:
here's a previous stack overflow question that might explain it better than I did (don't look at the "accepted" answer, look at the most upvoted answer. :)
Generate temporary URL to reset password
You can find a complete sample that uses "Forgot password" functionality in the prerelease version of "Microsoft ASP.NET Identity Samples 2.1.0-alpha1" NuGet package.
Steps
Create Empty Web Application project
Install sample project: Install-Package Microsoft.AspNet.Identity.Samples -Pre
Start the application and register a new user.
Go to Log in page an click on "Forgot password". Then add the recent registered user e-mail.
Then, you will be able to debug the application checking the "Forgot password" process.
I am working on asp.net application.
I have to work on a functionality where system admin should be able to send invitations to view user specific documents by email. When user clicks on the invitation, system should be able to recognize the user and open the document.
I am thinking of using 16 digit hash keys against each email and store them in db when admin send the invitation. When user clicks the invitation retrieving the user details using 16 digit hash key.
But I feel there could be a better way of doing it.
Please suggest me to implement the functionality in a better way.
If your users generally have to log in, you may also want to force them to log in after clicking the link in the email before opening the document (or answer some other question), especially if the documents are at all sensitive in nature. At the very least you should disable the key after they open the document or after some amount of time has passed.
Email accounts get hacked all the time and you don't want the attacker to be able to click on the same link and gain access to any sensitive data.
In Database create a table that contains
UserDocuments { UserKey, DocumentKey, GUID, IsRead (false by default)}
store user and document key relation in this table.
Generate a random public key (GUID) and store this key in this table and send the same key to user using email, mail , phone or any direct secure way.
Let the document page contain DocumentKey in querystring.
When user opens the document page, authenticate user against the DocumentKey, UserKey in the table.
Don't allow if IsRead is false.
If authentication suceeds ask them to enter GUID.
again check in database if the userid is valid, if yes open the document and mark IsRead true.