I want to update the password without making the user enter his username or emailid as the user will already be logged in.
So in the following code snippet of my webmethod, if i don't wanna use emailid=#emailid at where clause,
where shud i add the code with the logic change password only at the emailid1 and not at emailid 2 if both emailids have same passwords? Thanks.
string update = "update client set pwd=#newpass where pwd=#oldpass";
If the user is already logged in you should have the email in some variable.
And you can use this variable in your updatestring.
So the user dont need to type his email again.
Related
I am sending link to email address for password reset functionality and after sometime i want this link to expire. for that i have created a token(which is encrytped using a key) and expire-date and i want to put these as query in my email link but i don't know to do it.
this is how i use token class in forgotPassword Post method.
var tokenModel = new LinkExpire();
tokenModel.ExpiresOn = DateTime.Now.AddSeconds(10);
tokenModel.CreateToken = TokenHelperMethods.GetToken(tokenModel);
this is my link code.
string resetCode = Guid.NewGuid().ToString();
var varifyUrl = "/E_HealthCare_Web/Account/ResetPassword/" + resetCode;
var link = Request.Url.AbsoluteUri.Replace(Request.Url.PathAndQuery, varifyUrl);
and in my email body i am sending link like this
"<br/> <br/> <a href = '" + link +"&expire="+tokenModel.ExpiresOn+"&token="+tokenModel.CreateToken+"'>Reset link</a> <br/><br/>" +
which does not to work as expected. anyone can help me achieve this, also i am not using core, only mvc5.
Edit this is my controller where i am recieving link values
public ActionResult ResetPassword(string id, DateTime expire, string token)
while clicking on link gives A potentially dangerous Request.Path value was detected from the client (&) error.
Here is my suggestion, instead of adding expiration token query parameters with URL manage this at your method action level i.e.
You already have the information that which login is going to this URL. All you have to do is that before sending this URL via email, make a separate temp table that will have user ID, reset password URL path, created date/time column (this column will mange the data/time when you send the URL to the user for password reset) and active/Iactive status column.
Now at code level when this particular URL is hit by user, first get the active row only entry against this URL & user ID and get the created date/time column value.
Check the difference between the active created date/time column and current date/time.
if difference between two dates is more than 24hr send expiration response otherwise change the password.
Mark that entry as inactive.
Know that against each user the active entry in this new table exist only when user request's password reset, otherwise all existing entries are marked as inactive.
You can delete instead of active/inactive as well. this is temp table.
I have a scenario here whereby when a user wants to reset a password, the system will have to send a temporary random generated password to the user by email. I tried storing the temporary password into a new column in the database but I am not really sure about whether this approach works well. Some people recommend using token such as below:
string code = await UserManager.GeneratePasswordResetTokenAsync(user.Id);
However, I am really new to ASP.NET and I am not familiar with token. How do I compare the temporary generated token with the token in the database?
Another method that I found to implement this is to have a Membership.GeneratePassword function that generates a random string of characters:
model.temppwd = Membership.GeneratePassword(10, 1);
Can anybody provide me an ideal way to implement this functionality with some example? Thank you!
In our project we used
Guid.NewGuid();
and sent the email containing the link to the recover password action (MVC) as a query string: https://yoursite.com/account/reset/?code=your_guid_code
Example:
ResetPassword resetPassword = new resetPassword();
resetPassword.Code = Guid.NewGuid();
string strLink = string.Format("{0}", actionUrl + "?code="+ resetPassword.Code);`
And now you can use the strLink to send with your e-mail. You'll need to store the Guid in a database table alongside with the userId, so that you can implement the resetting procedure. When the user clicks the link from your email he'll get in a form / view that asks for a new password. Also you'll want to add an extra column to that table in order to provide an expiration limit for that code. If the user clicks the link in the e-mail and the code expired you'll have to inform the user and send another e-mail with another code.
I am using a login control where user enters the username and passwords.I want to retrieve those values of username and password into another page in the application? Is there a way to do that in C#.I am using asp.net login control?
Not the password, as that's double-blind to protect the user's security. But the username is easy to get:
I use this frequently:
lblUser.Text = "Welcome " + User.Identity.Name;
All you have to do is call Membership.GetUser();
How about HttpContext.Current.User?
Excuse my intrusion as I don't know either C# or asp.net. However, you could have a public variable on the system which could hold those info across pages.
I have an ASP.NET App in which want to send an email to a user that presses a Recover Password button that resets the user's password and then sends a link to the user that when followed will log the user in with a new password and bring them to the Change Password page where they must resent their password.
I'm able to reset the password and get the new randomly generated password that I send back to the user in an email. However, when the user follows the link back with the UserName and pw parameters, the system does not seem to log them in,
Here's the code I am using on the load event that does not seem to work:
try
{
string sUserName = Request.QueryString["UserName"].ToString();
string sPw = Request.QueryString["pw"].ToString();
if (Membership.ValidateUser(sUserName, sPw))
{
//Log the user in???
FormsAuthentication.Authenticate(sUserName, sPw);
}
}
catch (Exception r)
{
string sMessage = r.Message;
}
Any help in logging the user in with username and password parameters would be greatly appreciated.
You can use FormsAuthentication.SetAuthCookie() :
if (Membership.ValidateUser(sUserName, sPw))
{
FormsAuthentication.SetAuthCookie(sUserName, true);
}
In your sample code you are retrieving the user name and password from the query string - this is very bad practice as any observer will see it in plain text. At least use a POST for these values and put them in the body (i.e with a form POST) and always use HTTPS at least for your login page.
use the following code.
if (Membership.ValidateUser(sUserName, sPw))
{
FormsAuthentication.SetAuthCookie(sUserName, true);
Response.Redirect("ChangePassword.aspx");
}
FormsAuthentication.Authenticate is almost same as FormsAuthentication.ValidateUser. They just validate user authentication. SetAuthCookie creates the authentication ticket(login).
This is how (IMO) reset password functionality should work:
User clicks button saying "Forgot Password".
In your code store a random GUID in the DB.
Send the user an email, with the GUID as a link in the email, as well as their userid, e.g:
http://yoursite.com/user/reset?guid=a21312738&userid=213123
On the incoming page, read the userid from the QS, and fetch the user from the DB by this value.
Compare the stored GUID from the GUID in the QS. If success, render a form that allows the user to change the password via an HTTPS POST.
In the POST action, change the user's password and sign them in.
You could also go one step further and store an expiration date for the GUID (e.g user must change their password in 24 hours).
I developed a web application. It has a login form using ASP.NET membership. Now I need to add a form allowing to change the password. Before a new password can be set, the old password must be entered by the user.
How can I check if the old password is valid?
// checking if the old password is correct
if (Membership.ValidateUser(username, oldPassword))
{
// setting a new password
string newPassword = MembershipUser.ResetPassword();
}
Membership.ValidateUser
Membership.ResetPassword
if The User logged In then you have the User Id
so retrieve all user Information like user name password using It.
now you Can just ask User to enter his old password now match this two if both matched then change the password with new One.
Use the ChangePassword control.
http://msdn.microsoft.com/en-us/library/system.web.ui.webcontrols.changepassword.aspx