4

Current ASP.NET Identity password reset (through email verification) requires a user to enter e-mail and a new password to be reset. However, in most cases of a password reset, only a new password is required. How could this be done?

I found that the user id is found by getting the email, e.g.:

var user = await UserManager.FindByNameAsync(model.Email);

Is it possible to get the user id directly from the CallbackUrl of the password reset as it contains the user id? or is there any better alternative approach?

Jeroen
  • 60,696
  • 40
  • 206
  • 339
eulercode
  • 1,107
  • 4
  • 16
  • 29
  • 1
    "in most case of password reset, only new password is required". Not true. The safer method is to use the email address as a means to authenticate the user before password reset. – GVashist Dec 08 '14 at 21:20

2 Answers2

0

How I've handled this in the past is correlating the reset password URL to the reset password function with a timeout.

Workflow:

User clicks forgot password > email is sent with a link containing a GUID > Owner of email clicks on link > asp.net page reads GUID from URL > page checks if request is still within timeout limit > user enters a new password & confirms it.

RandomUs1r
  • 4,010
  • 1
  • 24
  • 44
-1

How are you going to verify that whoever tries to reset the password is the owner for the account where the password reset is done for? Either username or email is required to know who you are resetting the password for and the password reset link sent to the email is a security requirement, not just a "feature".

Highly recommended reading on the subject (not long, but very useful) Troy Hunt: Everything you ever wanted to know about building a secure password reset feature

trailmax
  • 34,305
  • 22
  • 140
  • 234
  • It was a good article though. However, this is the requirement that i need to resolved. Meaning that I will have to come out a solution on providing user to reset password without entering email – eulercode Dec 09 '14 at 13:22
  • 1
    @eulercode You might want to speak to you client about this requirement and strongly advise against the proposed practice. They might not be aware that they are asking to create a security hole in their application. – trailmax Dec 09 '14 at 14:24
  • Either username or email is required to know who you are resetting the password <-- or a unique guid correlated to the email that isn't easily guessable like an email. – RandomUs1r Mar 05 '15 at 15:43