Tuesday, January 27, 2009

Resetting password with asp.net security

When using hashed passwords, if a user forgets their password, there is no obvious way to reset it, since the old password is needed to assign a new password, and hashed passwords can not be retrieved from the database, the but it can be done.

The key is to reset the password first, then use the reset password to create a new password entered by the administrator.

I put a couple textboxes up on a page (tbPassword and tbConfirmPassword) and in the Web.Config set the requiresQuestionAndAnswer property of the security provider to false.

With that in place, if the administrator puts a value in the "New Password" text box, I know they intend to change the password and call the following code:

if (tbPassword.Text != "")
string tempPassword = Membership.Provider.ResetPassword(membershipUser.UserName, "");
Membership.Provider.ChangePassword(membershipUser.UserName, tempPassword, tbPassword.Text);

No comments: