Password reset/token?
-
Hello When it comes to a user who has forgotten his password while trying to log-on, for example, one way of him (not the administrator) resetting his password is to ask him to complete a field asking for his username or email, or both, and then sending him a link and 'token' to do so. What is meant by 'token', please? Thanks.
-
Hello When it comes to a user who has forgotten his password while trying to log-on, for example, one way of him (not the administrator) resetting his password is to ask him to complete a field asking for his username or email, or both, and then sending him a link and 'token' to do so. What is meant by 'token', please? Thanks.
You could set a temporary password for the user, then set the password to expire immediately. This would allow the user to log into the system using the temporary password but would force him to change his password immediately. In this case, the "token" would be the temporary password you have set for the user. The token is a randomly created string of letters and numbers.
-
You could set a temporary password for the user, then set the password to expire immediately. This would allow the user to log into the system using the temporary password but would force him to change his password immediately. In this case, the "token" would be the temporary password you have set for the user. The token is a randomly created string of letters and numbers.
Bad idea - now anyone who knows the username can lock the user out of their account by constantly requesting a temporary password.
"These people looked deep within my soul and assigned me a number based on the order in which I joined." - Homer
-
Hello When it comes to a user who has forgotten his password while trying to log-on, for example, one way of him (not the administrator) resetting his password is to ask him to complete a field asking for his username or email, or both, and then sending him a link and 'token' to do so. What is meant by 'token', please? Thanks.
The token is usually just a random string which an attacker wouldn't be able to guess. A GUID would be a simple example. Make sure the token is time-limited, and is deleted as soon as the user has reset their password. It's probably a good idea to only store the hash of the token in the database, to ensure that a hacker with read access to the database couldn't reset arbitrary accounts. Troy Hunt has a good article which covers some of the other issues you'll want to think about: Troy Hunt: Everything you ever wanted to know about building a secure password reset feature[^]
"These people looked deep within my soul and assigned me a number based on the order in which I joined." - Homer
-
Hello When it comes to a user who has forgotten his password while trying to log-on, for example, one way of him (not the administrator) resetting his password is to ask him to complete a field asking for his username or email, or both, and then sending him a link and 'token' to do so. What is meant by 'token', please? Thanks.
Many thanks to you both and for the link. I will take a look at it now. Would it be simpler (ie no time limit) to send a link to the user's email? Thanks again
-
Many thanks to you both and for the link. I will take a look at it now. Would it be simpler (ie no time limit) to send a link to the user's email? Thanks again
You have to send the link to the user's email. If you just display the link when the reset is requested, then anyone can reset the password for any account. The link has to be unique for each reset request, and must not be guessable. The link should only be valid for a short time (a few hours, or a day at most). Providing a link with no time limit makes it easier for hackers to guess the link. Make sure you store the expiration date in the database, not in the link!
"These people looked deep within my soul and assigned me a number based on the order in which I joined." - Homer
-
You have to send the link to the user's email. If you just display the link when the reset is requested, then anyone can reset the password for any account. The link has to be unique for each reset request, and must not be guessable. The link should only be valid for a short time (a few hours, or a day at most). Providing a link with no time limit makes it easier for hackers to guess the link. Make sure you store the expiration date in the database, not in the link!
"These people looked deep within my soul and assigned me a number based on the order in which I joined." - Homer
Thanks again, Richard. I came across this sample code yesterday that uses such a link: In my log-in aspx jay time_ version strBody.Append(("Click here to change your password") Can I ask, is the link above generated at random Thanks!
-
Thanks again, Richard. I came across this sample code yesterday that uses such a link: In my log-in aspx jay time_ version strBody.Append(("Click here to change your password") Can I ask, is the link above generated at random Thanks!
I don't know, because I can't see the code.
"These people looked deep within my soul and assigned me a number based on the order in which I joined." - Homer
-
I don't know, because I can't see the code.
"These people looked deep within my soul and assigned me a number based on the order in which I joined." - Homer
Sorry. It's this:
Protected Sub btnForgot_Click(ByVal sender As Object, ByVal e As System.EventArgs) Handles btnForgot.Click
Dim ConnectionString As String = "Data Source=|DataDirectory|students.mdb" Dim uniqueCode As String = String.Empty Using conn As New OleDbConnection(ConnectionString) Using cmd As OleDbCommand = conn.CreateCommand Try Dim dr As OleDbDataReader 'Records to match the supplied email (strEmail) cmd = New OleDbCommand("SELECT \* FROM university WHERE strEmail = @strEmail") conn.Open() cmd.Parameters.AddWithValue("@strEmail", strEmail.Text.Trim()) cmd.Parameters.AddWithValue("@strEmail", Convert.ToString(strEmail.Text.Trim())) cmd.Parameters.AddWithValue("@uniqueCode", uniqueCode) cmd = New OleDbCommand("UPDATE university SET uniqueCode=@uniqueCode where strEmail = @strEmail", conn) If dr.HasRows Then dr.Read() 'generate uniqueCode uniqueCode = Convert.ToString(System.Guid.NewGuid()) End If dr = cmd.ExecuteReader() cmd.ExecuteNonQuery() conn.Close() cmd.Dispose() Catch ex As Exception Console.WriteLine(ex.Message) End Try End Using End Using 'Update the unique random code in the uniqueCode field of the database table Dim strBody As New StringBuilder() strBody.Append("[Click here to reset your password](http://localhost:2464/SampleApplication/ResetPasswordVB.aspx?emailId=")")SMTP code follows
I know there are some errors. It's that line with localhost:2464 that I was referring to. Thanks
-
You have to send the link to the user's email. If you just display the link when the reset is requested, then anyone can reset the password for any account. The link has to be unique for each reset request, and must not be guessable. The link should only be valid for a short time (a few hours, or a day at most). Providing a link with no time limit makes it easier for hackers to guess the link. Make sure you store the expiration date in the database, not in the link!
"These people looked deep within my soul and assigned me a number based on the order in which I joined." - Homer
-
Sorry. It's this:
Protected Sub btnForgot_Click(ByVal sender As Object, ByVal e As System.EventArgs) Handles btnForgot.Click
Dim ConnectionString As String = "Data Source=|DataDirectory|students.mdb" Dim uniqueCode As String = String.Empty Using conn As New OleDbConnection(ConnectionString) Using cmd As OleDbCommand = conn.CreateCommand Try Dim dr As OleDbDataReader 'Records to match the supplied email (strEmail) cmd = New OleDbCommand("SELECT \* FROM university WHERE strEmail = @strEmail") conn.Open() cmd.Parameters.AddWithValue("@strEmail", strEmail.Text.Trim()) cmd.Parameters.AddWithValue("@strEmail", Convert.ToString(strEmail.Text.Trim())) cmd.Parameters.AddWithValue("@uniqueCode", uniqueCode) cmd = New OleDbCommand("UPDATE university SET uniqueCode=@uniqueCode where strEmail = @strEmail", conn) If dr.HasRows Then dr.Read() 'generate uniqueCode uniqueCode = Convert.ToString(System.Guid.NewGuid()) End If dr = cmd.ExecuteReader() cmd.ExecuteNonQuery() conn.Close() cmd.Dispose() Catch ex As Exception Console.WriteLine(ex.Message) End Try End Using End Using 'Update the unique random code in the uniqueCode field of the database table Dim strBody As New StringBuilder() strBody.Append("[Click here to reset your password](http://localhost:2464/SampleApplication/ResetPasswordVB.aspx?emailId=")")SMTP code follows
I know there are some errors. It's that line with localhost:2464 that I was referring to. Thanks
Member 8761667 wrote:
I know there are some errors.
You're not kidding! :omg: I don't think there's a need to pass the email address in the link; you should be able to look up the record based purely on the unique code. Something like this should work:
Protected Sub btnForgot_Click(ByVal sender As Object, ByVal e As System.EventArgs) Handles btnForgot.Click
Const ConnectionString As String = "Data Source=|DataDirectory|students.mdb"
Dim uniqueCode As String = Guid.NewGuid().ToString("N")
Dim recordExists As Boolean = FalseUsing conn As New OleDbConnection(ConnectionString) Using cmd As OleDbCommand = conn.CreateCommand() cmd.CommandText = "UPDATE university SET uniqueCode = @uniqueCode WHERE strEmail = @strEmail" cmd.Parameters.AddWithValue("@uniqueCode", uniqueCode) cmd.Parameters.AddWithValue("@strEmail", strEmail.Text.Trim()) conn.Open() Dim recordsAffected As Integer = cmd.ExecuteNonQuery() If recordsAffected <> 0 Then recordExists = True End Using End Using If recordExists Then Dim builder As New UriBuilder(Request.Url) builder.Path = VirtualPathUtility.ToAbsolute("~/ResetPasswordVB.aspx") builder.Query = "uniqueCode=" & HttpUtility.UrlEncode(uniqueCode) Dim link As String = builder.Uri.ToString() ' Eg: http://localhost:2464/SampleApplication/ResetPasswordVB.aspx?uniqueCode=ee3106b4df694555b4ca6f2727a23dc8 ... End IfEnd Sub
"These people looked deep within my soul and assigned me a number based on the order in which I joined." - Homer
-
Member 8761667 wrote:
I know there are some errors.
You're not kidding! :omg: I don't think there's a need to pass the email address in the link; you should be able to look up the record based purely on the unique code. Something like this should work:
Protected Sub btnForgot_Click(ByVal sender As Object, ByVal e As System.EventArgs) Handles btnForgot.Click
Const ConnectionString As String = "Data Source=|DataDirectory|students.mdb"
Dim uniqueCode As String = Guid.NewGuid().ToString("N")
Dim recordExists As Boolean = FalseUsing conn As New OleDbConnection(ConnectionString) Using cmd As OleDbCommand = conn.CreateCommand() cmd.CommandText = "UPDATE university SET uniqueCode = @uniqueCode WHERE strEmail = @strEmail" cmd.Parameters.AddWithValue("@uniqueCode", uniqueCode) cmd.Parameters.AddWithValue("@strEmail", strEmail.Text.Trim()) conn.Open() Dim recordsAffected As Integer = cmd.ExecuteNonQuery() If recordsAffected <> 0 Then recordExists = True End Using End Using If recordExists Then Dim builder As New UriBuilder(Request.Url) builder.Path = VirtualPathUtility.ToAbsolute("~/ResetPasswordVB.aspx") builder.Query = "uniqueCode=" & HttpUtility.UrlEncode(uniqueCode) Dim link As String = builder.Uri.ToString() ' Eg: http://localhost:2464/SampleApplication/ResetPasswordVB.aspx?uniqueCode=ee3106b4df694555b4ca6f2727a23dc8 ... End IfEnd Sub
"These people looked deep within my soul and assigned me a number based on the order in which I joined." - Homer
Wow! I feel as if I have been hit by Mike Tyson! What a wake up call. It's my first attempt at it in my defence, but your code is so neat and makes easy reading even though I don't yet understand every line. I will go through it and research a bit things I am hazy about (especially after that knockout blow!) and when it's all up and running I will post back so that you can admire your craft. Many thanks, Richard, I am so grateful.
-
Richard Deeming wrote:
store the expiration date in the database, not in the link!
Or encrypt it and put it in the link. :^)
There are only 10 types of people in the world, those who understand binary and those who don't.
Thanks, Ryan Adding a Date/Time column to Access sounds a bit easier! But thanks for suggesting an alternative!
-
Member 8761667 wrote:
I know there are some errors.
You're not kidding! :omg: I don't think there's a need to pass the email address in the link; you should be able to look up the record based purely on the unique code. Something like this should work:
Protected Sub btnForgot_Click(ByVal sender As Object, ByVal e As System.EventArgs) Handles btnForgot.Click
Const ConnectionString As String = "Data Source=|DataDirectory|students.mdb"
Dim uniqueCode As String = Guid.NewGuid().ToString("N")
Dim recordExists As Boolean = FalseUsing conn As New OleDbConnection(ConnectionString) Using cmd As OleDbCommand = conn.CreateCommand() cmd.CommandText = "UPDATE university SET uniqueCode = @uniqueCode WHERE strEmail = @strEmail" cmd.Parameters.AddWithValue("@uniqueCode", uniqueCode) cmd.Parameters.AddWithValue("@strEmail", strEmail.Text.Trim()) conn.Open() Dim recordsAffected As Integer = cmd.ExecuteNonQuery() If recordsAffected <> 0 Then recordExists = True End Using End Using If recordExists Then Dim builder As New UriBuilder(Request.Url) builder.Path = VirtualPathUtility.ToAbsolute("~/ResetPasswordVB.aspx") builder.Query = "uniqueCode=" & HttpUtility.UrlEncode(uniqueCode) Dim link As String = builder.Uri.ToString() ' Eg: http://localhost:2464/SampleApplication/ResetPasswordVB.aspx?uniqueCode=ee3106b4df694555b4ca6f2727a23dc8 ... End IfEnd Sub
"These people looked deep within my soul and assigned me a number based on the order in which I joined." - Homer
Hello Richard Just a quick question about the code you kindly sent to me. It concerns this line here:
Dim recordExists As Boolean = False
Is there a reason this is not 'true'? Either the user exists in the database or not. If he does, then he gets sent the link; if not, he should register. Isn't it as black and white as that? If Boolean is set to false, doesn't that suggest that it is unimportant whether he exists or not? Thanks
-
Hello Richard Just a quick question about the code you kindly sent to me. It concerns this line here:
Dim recordExists As Boolean = False
Is there a reason this is not 'true'? Either the user exists in the database or not. If he does, then he gets sent the link; if not, he should register. Isn't it as black and white as that? If Boolean is set to false, doesn't that suggest that it is unimportant whether he exists or not? Thanks
You need to know whether the record exists to know whether you're going to send a "forgotten password" email or a "register" email. The flag is initially set to
Falsebecause the code later updates it toTrueif the record was found. You could reverse that logic, but I think it makes more sense as it is.
"These people looked deep within my soul and assigned me a number based on the order in which I joined." - Homer
