4

I have setup a quick page to accept an email address which will send an email to it which will later contain a link to reset password or a new temporary one.

My project is a new ASP .Net MVC project using Identity. I thought the best way to reset it would be to send a link to the email which when clicked allows the user to enter a new one but then I'm not sure what to put on the page the link is directed to, to allow this functionality and keep the site secure.

Is it simply easiest in this case to send a new temporary one?

user1166905
  • 2,612
  • 7
  • 43
  • 75

2 Answers2

1

This was too long to fit in a comment so hopefully I don't get downvoted without actual code examples :O

A common solution that I've seen:

When a user requests a password reset, record a guid/random hash and expiration datetime to the user's information in your user store (db most likely).

An email with a link to a temporary page is sent to the user's email address on file (this solution does require a valid email address).

Once the temporary page is hit, the link can be set to immediately expire (set the expiration date to datetime.now, or remove the guid/hash from the user info, etc).

This temporary page URL would likely have the guid/hash for the recorded user in the query string, so it should be pretty hard to find without having the link in the email. For added security, the user can be required to put in the username/email that requested the password reset (as there should potentially be no mention of usernames/passwords on the page. Once this validation is done (or not) give the user the appropriate fields to reset their password.

Another final note on the "forgot password link" don't provide any information on whether or not a username "does not exist" as this can give the potential of finding valid user names on your site.

EDIT:

here's a previous stack overflow question that might explain it better than I did (don't look at the "accepted" answer, look at the most upvoted answer. :)

Generate temporary URL to reset password

Community
  • 1
  • 1
Kritner
  • 13,557
  • 10
  • 46
  • 72
  • I always wonder about the "don't tell them the username is bad" thing though. I mean, if I wanted to do that it would be easier to just try to register usernames until one was accepted. – Casey Sep 07 '14 at 01:11
  • yeah that's true - "every little layer of security" is just another way of deterring malicious people though... i've heard it worded very well from someone before let's see if i can find the quote – Kritner Sep 07 '14 at 01:36
  • Additionally not all sites (at least not the ones I mostly do) allow for open registration, that is usually delegated to business owners of the products developed - in which case something like the above would have more of an impact. – Kritner Sep 07 '14 at 01:39
  • Yeah, true enough. Depends on the use case. – Casey Sep 07 '14 at 02:47
1

You can find a complete sample that uses "Forgot password" functionality in the prerelease version of "Microsoft ASP.NET Identity Samples 2.1.0-alpha1" NuGet package.

Steps

  1. Create Empty Web Application project
  2. Install sample project: Install-Package Microsoft.AspNet.Identity.Samples -Pre
  3. Start the application and register a new user.
  4. Go to Log in page an click on "Forgot password". Then add the recent registered user e-mail.

Then, you will be able to debug the application checking the "Forgot password" process.

Xavier Egea
  • 4,712
  • 3
  • 25
  • 39