Where to find C# sample code to implement password recovery in ASP .NET MVC2

Question

How to implement password reset in MVC2 application?

Passwords are hashed using ASP .NET membership provider. Password recovery question is not used. Standard ASP .NET MVC2 project template with standard AccountController class is used.

If user forgots password, email with temporary link or with new password should sent to user e-mail address .

Where to find code to implement this in MVC 2 C# ?

stack overflow contains two answers which discuss methods about implementing this. There is not sample code. I googled for "asp .net mvc password reset c# sample code download" but havent found sample code for this.

I'm new to MVC. Where to find sample code for password recovery? This is missing from VS2010 generated project template.

Update

I tried this code in Mono 2.10 but got exception:

CspParameters not supported by Mono

at line

        des.Key = pdb.CryptDeriveKey("RC2", "MD5", 128, new byte[8]);

How to run it in Mono ?

Stack Trace:

System.NotSupportedException: CspParameters not supported by Mono
at System.Security.Cryptography.PasswordDeriveBytes.CryptDeriveKey (string,string,int,byte[]) [0x0001b] in /usr/src/redhat/BUILD/mono-2.10.2/mcs/class/corlib/System.Security.Cryptography/PasswordDeriveBytes.cs:197
at store2.Helpers.Password.EncodeMessageWithPassword (string,string) <IL 0x00055, 0x000f3>
at store2.Helpers.AccountHelper.GetTokenForValidation (string) <IL 0x00033, 0x00089>
at MvcMusicStore.Controllers.AccountController.PasswordReminder (MvcMusicStore.Models.PasswordReminderModel) <IL 0x001ac, 0x00495>
at (wrapper dynamic-method) System.Runtime.CompilerServices.ExecutionScope.lambda_method (System.Runtime.CompilerServices.ExecutionScope,System.Web.Mvc.ControllerBase,object[]) <IL 0x00020, 0x0005b>
at System.Web.Mvc.ActionMethodDispatcher.Execute (System.Web.Mvc.ControllerBase,object[]) <IL 0x00008, 0x0001b>
at System.Web.Mvc.ReflectedActionDescriptor.Execute (System.Web.Mvc.ControllerContext,System.Collections.Generic.IDictionary`2<string, object>) <IL 0x00072, 0x00103>
at System.Web.Mvc.ControllerActionInvoker.InvokeActionMethod (System.Web.Mvc.ControllerContext,System.Web.Mvc.ActionDescriptor,System.Collections.Generic.IDictionary`2<string, object>) <IL 0x00003, 0x00019>
at System.Web.Mvc.ControllerActionInvoker/<>c__DisplayClassd.<InvokeActionMethodWithFilters>b__a () <IL 0x0002d, 0x00068>
at System.Web.Mvc.ControllerActionInvoker.InvokeActionMethodFilter (System.Web.Mvc.IActionFilter,System.Web.Mvc.ActionExecutingContext,System.Func`1<System.Web.Mvc.ActionExecutedContext>) <IL 0x00031, 0x000b6>


--------------------------------------------------------------------------------
Version information: Mono Runtime Version: 2.10.2 (tarball Mon Apr 18 18:57:39 UTC 2011); ASP.NET Version: 2.0.50727.1433

score 17 · Accepted Answer · edited Mar 20 '13 at 16:15

Here is my approach. In MVC you will have an action called RetrievePassword where you will ask for the user's email address and pass it in a post

    [HttpGet]
    public ActionResult RetrievePassword()
    {
        return View();
    }

    [HttpPost]
    public ActionResult RetrievePassword(PasswordRetrievalModel model)
    {
        if (ModelState.IsValid)
        {
            string username = Membership.GetUserNameByEmail(model.Email);

            if (!String.IsNullOrEmpty(username))
            {
                // This is a helper function that sends an email with a token (an MD5).
                NotificationsHelper.SendPasswordRetrieval(model.Email, this.ControllerContext);
            }
            else
            {
                Trace.WriteLine(String.Format("*** WARNING:  A user tried to retrieve their password but the email address used '{0}' does not exist in the database.", model.Email));
             }


            return RedirectToAction("Index", "Home");
        }

        return View(model);
    }

An email message will be sent with a url that redirects to http://example.com/Account/Validate?email=xxxxxxxx&token=xxxxxxxx

If the token is valid for the email, you will probably display a password reset form so they choose a new password.

So you need a Validate Action:

[HttpGet]
    [CompressFilter]
    public ActionResult Validate(string email, string token)
    {
        bool isValid = false;

        if (AccountHelper.IsTokenValid(token, email))
        {
            string username = Membership.GetUserNameByEmail(email);
            if (!String.IsNullOrEmpty(username))
            {
                // Get the user and approve it.
                MembershipUser user = Membership.GetUser(username);
                user.IsApproved = true;
                Membership.UpdateUser(user);

                isValid = true;

                // Since it was a successful validation, authenticate the user.
                FormsAuthentication.SetAuthCookie(username, false);
            }
            else
            {
                isValid = false;
            }
        }

        return View(isValid);
    }

Here are some of the helpers you see in this code:

Account Helper

/// <summary>
    /// Gets the token for invitation.
    /// </summary>
    /// <param name="email">The email.</param>
    /// <returns></returns>
    public static string GetTokenForInvitation(string email)
    {
        if (String.IsNullOrEmpty(email))
            throw new ArgumentException("The email cannot be null");

        string token = Password.EncodeMessageWithPassword(String.Format("{0}#{1}", email, DateTime.Now), SEED);

        return token;
    }


    /// <summary>
    /// Gets the email from token.
    /// </summary>
    /// <param name="token">The token.</param>
    /// <param name="email">The email.</param>
    /// <returns></returns>
    public static bool GetEmailFromToken(string token, out string email)
    {
        email = String.Empty;


        string message = Password.DecodeMessageWithPassword(token, SEED);
        string[] messageParts = message.Split('#');

        if (messageParts.Count() != 2)
        {
            return false;
            // the token was not generated correctly.
        }
        else
        {
            email = messageParts[0];
            return true;
        }
    }



    /// <summary>
    /// Helper function used to generate a token to be used in the message sent to users when registered the first time to confirm their email address.
    /// </summary>
    /// <param name="email">The email address to encode.</param>
    /// <returns>The token generated from the email address, timestamp, and SEED value.</returns>
    public static string GetTokenForValidation(string email)
    {
        if (String.IsNullOrEmpty(email))
            throw new ArgumentException("The email cannot be null");

        string token = Password.EncodeMessageWithPassword(String.Format("{0}#{1}", email, DateTime.Now), SEED);

        return token;
    }


    /// <summary>
    /// Validates whether a given token is valid for a determined email address.
    /// </summary>
    /// <param name="token">The token to validate.</param>
    /// <param name="email">The email address to use in the validation.</param>
    /// <returns><c>true</c> if the token is valid, <c>false</c> otherwise.</returns>
    public static bool IsTokenValid(string token, string email)
    {
        return IsTokenValid(token, email, DateTime.Now);
    }


    /// <summary>
    /// Core method to validate a token that also offers a timestamp for testing.  In production mode should always be DateTime.Now.
    /// </summary>
    /// <param name="token">The token to validate.</param>
    /// <param name="email">the email address to use in the validation.</param>
    /// <param name="timestamp">The timestamp representing the time in which the validation is performed.</param>
    /// <returns><c>true</c> if the token is valid, <c>false</c> otherwise.</returns>
    public static bool IsTokenValid(string token, string email, DateTime timestamp)
    {
        if (String.IsNullOrEmpty(token))
            throw new ArgumentException("The token cannot be null");

        try
        {
            string message = Password.DecodeMessageWithPassword(token, SEED);
            string[] messageParts = message.Split('#');

            if (messageParts.Count() != 2)
            {
                return false;
                // the token was not generated correctly.
            }
            else
            {
                string messageEmail = messageParts[0];
                string messageDate = messageParts[1];

                // If the emails are the same and the date in which the token was created is no longer than 5 days, then it is valid. Otherwise, it is not. 
                return (String.Compare(email, messageEmail, true) == 0 && timestamp.Subtract(DateTime.Parse(messageDate)).Days < 5);
            }
        }
        catch (Exception)
        {
            // could not decrypt the message. The token has been tampered with.
            return false;
        }
    }

And Finally here some code to encrypt, decript a token...

I have it in a Password class that is intended to be a helper.

/// EDIT: Removed the two functions I referenced before and show the full helper class.

Here is the Password static class with all helper functions.

using System;
using System.Text;
using System.IO;
using System.Security.Cryptography;
using System.Data;
using System.Resources;

namespace MySolution.Common.Util
{
    /// <summary>
    /// Implements some functions to support password manipulation or generation
    /// </summary>
    public class Password
    {
        /// <summary>
        /// Takes a string and generates a hash value of 16 bytes.
        /// </summary>
        /// <param name="str">The string to be hashed</param>
        /// <param name="passwordFormat">Selects the hashing algorithm used. Accepted values are "sha1" and "md5".</param>
        /// <returns>A hex string of the hashed password.</returns>
        public static string EncodeString(string str, string passwordFormat)
        {
            if (str == null)
                return null;

            ASCIIEncoding AE = new ASCIIEncoding();
            byte[] result;
            switch (passwordFormat)
            {
                case "sha1":                    
                    SHA1 sha1 = new System.Security.Cryptography.SHA1CryptoServiceProvider();
                    result = sha1.ComputeHash(AE.GetBytes(str));
                    break;
                case "md5":
                    MD5 md5 = new System.Security.Cryptography.MD5CryptoServiceProvider();
                    result = md5.ComputeHash(AE.GetBytes(str));
                    break;
                default:
                    throw new ArgumentException("Invalid format value. Accepted values are 'sha1' and 'md5'.", "passwordFormat");
            }

            // Loop through each byte of the hashed data 
            // and format each one as a hexadecimal string.
            StringBuilder sb = new StringBuilder(16);
            for (int i = 0; i < result.Length; i++)
            {
                sb.Append(result[i].ToString("x2"));
            }


            return sb.ToString();
        }

        /// <summary>
        /// Takes a string and generates a hash value of 16 bytes.  Uses "md5" by default.
        /// </summary>
        /// <param name="str">The string to be hashed</param>
        /// <returns>A hex string of the hashed password.</returns>
        public static string EncodeString(string str)
        {
            return EncodeString(str, "md5");
        }



        /// <summary>
        /// Takes a string and generates a hash value of 16 bytes.
        /// </summary>
        /// <param name="str">The string to be hashed</param>
        /// <param name="passwordFormat">Selects the hashing algorithm used. Accepted values are "sha1" and "md5".</param>
        /// <returns>A string of the hashed password.</returns>
        public static string EncodeBinary(byte[] buffer, string passwordFormat)
        {
            if (buffer == null)
                return null;

            byte[] result;
            switch (passwordFormat)
            {
                case "sha1":
                    SHA1 sha1 = new System.Security.Cryptography.SHA1CryptoServiceProvider();
                    result = sha1.ComputeHash(buffer);
                    break;
                case "md5":
                    MD5 md5 = new System.Security.Cryptography.MD5CryptoServiceProvider();
                    result = md5.ComputeHash(buffer);
                    break;
                default:
                    throw new ArgumentException("Invalid format value. Accepted values are 'sha1' and 'md5'.", "passwordFormat");
            }


            // Loop through each byte of the hashed data 
            // and format each one as a hexadecimal string.
            StringBuilder sb = new StringBuilder(16);
            for (int i = 0; i < result.Length; i++)
            {
                sb.Append(result[i].ToString("x2"));
            }


            return sb.ToString();
        }

        /// <summary>
        /// Encodes the buffer using the default cryptographic provider.
        /// </summary>
        /// <param name="buffer">The buffer.</param>
        /// <returns></returns>
        public static string EncodeBinary(byte[] buffer)
        {
            return EncodeBinary(buffer, "md5");
        }





        /// <summary>
        /// Creates a random alphanumeric password.
        /// </summary>
        /// <returns>A default length character string with the new password.</returns>
        /// <remarks>The default length of the password is eight (8) characters.</remarks>
        public static string CreateRandomPassword()
        {
            //Default length is 8 characters
            return CreateRandomPassword(8);
        }

        /// <summary>
        /// Creates a random alphanumeric password on dimension (Length).
        /// </summary>
        /// <param name="Length">The number of characters in the password</param>
        /// <returns>The generated password</returns>
        public static string CreateRandomPassword(int Length)
        {
            Random rnd = new Random(Convert.ToInt32(DateTime.Now.Millisecond));  //Creates the seed from the time
            string Password="";
            while (Password.Length < Length ) 
            {
                char newChar = Convert.ToChar((int)((122 - 48 + 1) * rnd.NextDouble() + 48));
                if ((((int) newChar) >= ((int) 'A')) & (((int) newChar) <= ((int) 'Z')) | (((int) newChar) >= ((int) 'a')) & (((int) newChar) <= ((int) 'z')) | (((int) newChar) >= ((int) '0')) & (((int) newChar) <= ((int) '9')))
                    Password += newChar;
            }
            return Password;
        }

        /// <summary>
        /// Takes a text message and encrypts it using a password as a key.
        /// </summary>
        /// <param name="plainMessage">A text to encrypt.</param>
        /// <param name="password">The password to encrypt the message with.</param>
        /// <returns>Encrypted string.</returns>
        /// <remarks>This method uses TripleDES symmmectric encryption.</remarks>
        public static string EncodeMessageWithPassword(string plainMessage, string password)
        {
            if (plainMessage == null)
                throw new ArgumentNullException("encryptedMessage", "The message cannot be null");

            TripleDESCryptoServiceProvider des = new TripleDESCryptoServiceProvider();
            des.IV = new byte[8];

            //Creates the key based on the password and stores it in a byte array.
            PasswordDeriveBytes pdb = new PasswordDeriveBytes(password, new byte[0]);
            des.Key = pdb.CryptDeriveKey("RC2", "MD5", 128, new byte[8]);

            MemoryStream ms = new MemoryStream(plainMessage.Length * 2);
            CryptoStream encStream = new CryptoStream(ms, des.CreateEncryptor(), CryptoStreamMode.Write);
            byte[] plainBytes = Encoding.UTF8.GetBytes(plainMessage);
            encStream.Write(plainBytes, 0, plainBytes.Length);
            encStream.FlushFinalBlock();
            byte[] encryptedBytes = new byte[ms.Length];
            ms.Position = 0;
            ms.Read(encryptedBytes, 0, (int)ms.Length);
            encStream.Close();

            return Convert.ToBase64String(encryptedBytes);
        }

        /// <summary>
        /// Takes an encrypted message using TripleDES and a password as a key and converts it to the original text message.
        /// </summary>
        /// <param name="encryptedMessage">The encrypted message to decode.</param>
        /// <param name="password">The password to decode the message.</param>
        /// <returns>The Decrypted message</returns>
        /// <remarks>This method uses TripleDES symmmectric encryption.</remarks>
        public static string DecodeMessageWithPassword(string encryptedMessage, string password)
        {
            if (encryptedMessage == null)
                throw new ArgumentNullException("encryptedMessage", "The encrypted message cannot be null");

            TripleDESCryptoServiceProvider des = new TripleDESCryptoServiceProvider();
            des.IV = new byte[8];

            //Creates the key based on the password and stores it in a byte array.
            PasswordDeriveBytes pdb = new PasswordDeriveBytes(password, new byte[0]);
            des.Key = pdb.CryptDeriveKey("RC2", "MD5", 128, new byte[8]);

            //This line protects the + signs that get replaced by spaces when the parameter is not urlencoded when sent.
            encryptedMessage = encryptedMessage.Replace(" ", "+");
            MemoryStream ms = new MemoryStream(encryptedMessage.Length * 2);
            CryptoStream decStream = new CryptoStream(ms, des.CreateDecryptor(), CryptoStreamMode.Write);

            byte[] plainBytes; 
            try 
            {
                byte[] encBytes = Convert.FromBase64String(Convert.ToString(encryptedMessage));
                decStream.Write(encBytes, 0, encBytes.Length);
                decStream.FlushFinalBlock();                
                plainBytes = new byte[ms.Length];
                ms.Position = 0;                
                ms.Read(plainBytes, 0, (int)ms.Length);
                decStream.Close();
            }
            catch(CryptographicException e)
            {
                throw new ApplicationException("Cannot decrypt message.  Possibly, the password is wrong", e);
            }

            return Encoding.UTF8.GetString(plainBytes);
        }
    }
}

Thank you. Excellent. I marked it as answer. After validation user should be forced to change password. Question and answer are not used. MembershipUser class method `ChangePassword(string oldPassword, string newPassword)` requires old password but user has forgotten this. How to change password after validation? Should temporary password created using `user.ResetPassword()` used or is there better way. Can you provide code for this ? — Andrus, Oct 19 '11 at 18:02
That is exactly right. You need to reset the password and you will obtain a temporary password. Use that to change the password so you can assign the one the user provided. It is just an extra call to the reset password. — agarcian, Oct 22 '11 at 13:50
thank. you. Why you didnt email password returned from ResetPassword but emailed url instead? — Andrus, Oct 22 '11 at 17:55
I guess it adds a bit of security... I don't like the idea of sending passwords via email, so sending the url back to the user to force them to change their password was my preferred option. I guess that is optional... — agarcian, Oct 22 '11 at 20:33
Very nice. Dumb question, though: where is the `Password` class defined? Is this a custom class? — Tieson T., Oct 31 '11 at 07:28
Added the whole Password class that contains helper functions for everything related to the encryption or decryption of messages. — agarcian, Oct 31 '11 at 17:12
@agarcian Okay, I am listing the questions in one post:
1. Need `PasswordRetrievalModel`
2. Need `NotificationsHelper`
3. What is the `SEED` in the `AccountHelper`? How to prepare it?
4. What is `[CompressFilter]`? Is it MVC2 only? — Blaise, Nov 08 '11 at 13:56
@Blaise: `PasswordRetrievalModel` is simply a POCO to be used as the model of the View that allows the user to set the new password. `NotificationsHelper` is a helper function to send emails. I use it to consolidate all the possible notifications I want to send throughout the application. SEED is simply a random string used in the encryption. Simply initialize it to empty or to any string you want. `[CompressFilter]` can be eliminated or you can get it from here: http://weblogs.asp.net/rashid/archive/2008/03/28/asp-net-mvc-action-filter-caching-and-compression.aspx Hope this helps. — agarcian, Nov 13 '11 at 09:54
I tried it in Mono but got exception `CspParameters not supported by Mono` at line `des.Key = pdb.CryptDeriveKey("RC2", "MD5", 128, new byte[8])`. How to run it in Mono ? I updated question. — Andrus, Dec 10 '11 at 18:48
@agarcian: I posted it as separate question in http://stackoverflow.com/questions/8459011/how-to-fix-cspparameters-not-supported-by-mono-exception-calling-cryptderivekey — Andrus, Dec 10 '11 at 18:59
@keyCrumbs Here is the NotificationsHelper. It may have changed since I wrote this code and may have some unrelated code, but I hope it helps. https://gist.github.com/agarcian/5828445 — agarcian, Jun 21 '13 at 02:33
@agarcian If duplicated e-mail addresses are allowed, password rest method changes all e-mails. How to fix it so that only this user password who requested change will changed? — Andrus, Oct 24 '13 at 13:27
@Andrus Don't use GetUserByEmail. You will need to identify the user by their username, not by their email. — agarcian, Oct 26 '13 at 07:32
Thank you. Shuld we add user as third parameter to encrypted token? — Andrus, Oct 26 '13 at 11:06
Hi! I want to ask about the SEED. What approach to use: 1) A string constant. (eg:private const string SEED = "3nKY==IUYb-JGgd") 2) A static variable which is instantiated once for the Application. (eg: private static string SEED=GenerateRandomString();) Thank you! — Cristian E., Jan 17 '14 at 08:22
@Christian You should use the same seed always, because the generation and validation of the key happen at different times. You generate the key now and send it to the user; she will validate it within 10-15 minutes, or a day or two if you allow it. So the service needs to be able to use the same seed. — agarcian, Jan 20 '14 at 22:17

score 0 · Answer 2 · answered Dec 03 '12 at 08:22

Answer to implement password reset in MVC2 application

public string ResetPassword(string userName)
    {
        MembershipUser user = _provider.GetUser(userName, false);

        if (user.IsLockedOut)
            user.UnlockUser();

        user.Comment = null;
        _provider.UpdateUser(user);

        string newPassword = user.ResetPassword();
        string friendlyPassword = GenerateNewPassword();
        _provider.ChangePassword(userName, newPassword, friendlyPassword);
        return friendlyPassword;
    }


private string GenerateNewPassword()
    {
        string strPwdchar = "abcdefghijklmnopqrstuvwxyz0123456789#@$ABCDEFGHIJKLMNOPQRSTUVWXYZ";
        string strPwd = "";
        Random rnd = new Random();
        for (int i = 0; i <= 8; i++)
        {
            int iRandom = rnd.Next(0, strPwdchar.Length - 1);
            strPwd += strPwdchar.Substring(iRandom, 1);
        }
        return strPwd;
    }

That is just so bad its making my eyes bleed – Piotr Kula Mar 20 '13 at 17:26 — Piotr Kula, Mar 20 '13 at 17:26

score 0 · Answer 3 · answered May 18 '13 at 14:18

0

here the russian version password recovery

answered May 18 '13 at 14:18

Vasiliy Mazhekin

688
8
24

score 0 · Answer 4 · answered Oct 17 '11 at 11:42

Set a Reset password GUID in user table. You may also use an expiration time. If user tried to reset password, update the field with a new GUID and datetime for expiration.

Send a link containing the link to reset password with the GUID.

A sample function like this can be created for that

GUID res = objPasswordResetService.resetPassword(Convert.ToInt64(objUserViewModel.UserID), restpasswordGuid, resetPasswordExpiryDateTime);

The value in res can be the GUID updated in DB. Send a link with this GUID. You can check the expiration time also. This is just an idea only

score 0 · Answer 5 · answered Oct 17 '11 at 13:17

0

I've got an example of how to implement password recovery in a standard ASP.NET MVC application in my blog.

This blog post assumes that you already have the login process working (database and all) and that you only need to wire the password recovery process.

http://hectorcorrea.com/Blog/Password-Recovery-in-an-ASP.NET-MVC-Project

answered Oct 17 '11 at 13:17

Hector Correa

26,290
8
57
73

Hector thank you. Your artice covers using password reminder question. I stated in question that password reminder question is not used. So answer should be probably very different from using password reminder as described in your great article. It whould probably involve sending temporary url or autogenerated new password by e-mail. – Andrus Oct 17 '11 at 14:18

Where to find C# sample code to implement password recovery in ASP .NET MVC2

5 Answers5

Linked