I have an asp.net site where I am using a XML based Tiny Membership provider. I want to send an email on email address provided by user while he creates an account on my site, which will have link. Its only after clicking on this link I want his account to get activated. How can incorporate this functionality in existing default behavior of Membership Provider?
When you create the user, set MembershipUser.IsApproved to false, and send an email with the link to the new user. The Membership.CreateUser method has a parameter isApproved for this purpose.
When the user clicks on the link, validate then set MembershipUser.IsApproved to true.
Related
I am following the tutortial for .Net core Account and password recovery and I am not sure how things work. The tutorial says to add the email service in startup.cs then everything just started to work. I have no idea where the forgot password page is located, it not with the other pages, I checked hidden files and the actual directory it self (see image), yet I am being redirected there from the reset password link. I have no idea how the email service is being called yet I can set a break point and see that it is being hit with the correct data. I can see the sql query used to get the user information. Is this functionality managed by core identity?
I have no idea where the forgot password page is located, it not with the other pages
You need Scaffold Identity in your ASP.NET Core project.
That means you need to add the pages you need through Scaffold Identity: ForgotPassword, ForgotPasswordConfirmation, ResetPassword, ResetPasswordConfirmation.
Scaffold Identity in ASP.NET Core projects
I have no idea how the email service is being called yet I can set a break point and see that it is being hit with the correct data.
Is this functionality managed by core identity?
IEmailSender is in the package ASP.NET Core Identity.UI, with the default implementation injected in DI that doesn't do anything.
I will explain in detail below how to send an email to reset the password. You can read the process of resetting the password first to the last.
In other words, you need to Implement IEmailSender.
In the link you gave, it has been given in detail how to implement IEmailSender.
In the example, SendGrid email provider is used. You can also choose other email providers.
You need to register a SendGrid account first, then create an API Key, and store your SendGrid information in appsettings.json.
You can create an API Key as follows.
appsettings.json:
SendGridUser:
It’s the account you registered with SendGird. For example, I registered with the email xxx.test.com, and SendGridUser is xxx.test.com.
SendGridKey:
This is the API Key mentioned above.
{
... ...
"AllowedHosts": "*",
"SendGridUser": "xxxx",
"SendGridKey": "xxxxx"
}
The process of resetting the password can be briefly summarized as follows:
Request the ForgotPassword page after clicking the link to reset the password
Enter your email address to reset the password
If the email address you need to reset your password exists and has been confirmed, then the method OnPostAsync in ForgotPassword will send an email to your email address.
If you set a breakpoint in the Execute method in the implementation class EmailSender of IEmailSender, you can see the result of the email sent.
You can open your mailbox to see the link to reset the password you received, then enter the reset password and submit the form.
After the form is successfully submitted, it will request the OnPostAsync method of ResetPassword, and the processing will be redirected to the ResetPasswordConfirmation page.
Result
I am designing some Forgot Password functionality in an ASP.NET application, and had a question about the best way to secure the endpoint where a user can reset their password.
How I imagine this to work is (roughly) the following:
User clicks 'Forgot Password' on the login form
User is taken to a screen where they will enter their email associated with their account
User is then taken to a screen where they can answer some security questions (required by my company)
After answering questions correctly, the user will be sent an email containing a link.
User clicks the link in their email which will take them to a password reset form
My question here is, how can I ensure that when someone arrives at this password reset form that they arrived there from clicking on that email link, and didn't just manually type in the URL to get there?
One solution I've thought of was to encrypt some data and append it as a parameter in the URL inside the email. So when they click that link, I can decrypt the data and ensure it came from a valid email before serving the form. But I'm not sure the best way to go about this.
A solution consists of creating a token that can be used once on the reset page. You send by email a link similar to https://example.com/PasswordLost?token=467dc4ad9acf4, then the site checks that the token is valid and displays the password change page. To add more security it is possible to limit the validity of the token in time: about ten minutes are largely sufficient. Once in use, the token should no longer be usable.
There are many ways to generate the token. You can generate a random string and store it in a database with the associated email address and the expiration date of the token. Then, you can validate it by querying the database. The other solution that I prefer, is to generate a token that is ciphered by the server. Then, you can decipher it and validate the data it contains (user email and expiration date, last password changed date). This way you don't have to store anything on the server. This is what ASP.NET Core Identity does.
You can read my blog post about how to implement Password reset feature in a web application? for more information.
I am using a link button in a mail which will be sent to different persons (Consider same mail server). If a user clicks from his mail, he will be redirected to a particular Web API.
I need to know "which mail user has clicked the link button?" from the mail.
TIA.
You would need to add a link to the button in the email which passed a unique identifying token to the page that you could then track.
Some systems will have the link go through to a tracking link first that logs the link press and the redirects the user to the final destination. This is a common pattern used by systems like MailChimp.
I have a requirement to prevent users from logging in to my ASP.NET Web API 2.0 Identity 3.0 backed website until an administrative account "activates" a user's confirmed registered ApplicationUser account.
I have implemented the EmailConfirmed logic to validate that the ApplicationUser account was registered with a working email address. Now I'm looking for an appropriate place to implement a check against the ApplicationUser.Activated property, that I have added, with behavior that prevents a login unless it has been set to true.
I've dug a little bit into the OAuthAuthorizationServerProvider class but I think I'm going to have to really take some time and understand OAuth 2.0 to get anywhere in there. Could anyone make a suggestion as to how and where to implement a test against an Activated property like this?
PS - I'm using bearer token authentication if that was not obvious.
Do one thing when user click on activation link which you send to the user .after click on that link redirect to page where you show one message "You are successfully resgistered" and on the page load you call to database and set activate column is true and put timer on that page and redirect user to login page.during login you can check the user status with email and password .if status is true that mean its registered user.
hope it will help.
Could someone explain to me how to send a verification email, without using asp.net usercreation wizard, i want it so that when the email is sent, it will contain a url link to activate an account
First Add a field to Users table called RegisterGuidId with type uniqueidentifier
Second after registration send a normal email to user with link to your activation page with new generated RegisterGuidId
Third after user redirected to you activation page use the generated guid to get user data from database
Basically what you need to do is, when the user registers generate a hash that is specific to the user (ideally something that can't be predicted by the bad guys) -> send this hash to the email that the user provided.
If you get a request with the url/hash that means he verified his account.
That's the basic idea anyway.