I have introducedLog on with an email addressBased onMembershipManagement of the website, and pointed out that this is a more secure approach, the user'sEmailIt is usually not exposed to the website, but does not knowEmailTherefore, it is impossible to crack and implement logon.
However, when the password is retrieved,Asp.netProvidedPasswordrecoveryThe control still requires the user to enter the user name to reset the password, which will undoubtedly make the useEmailThe website security factor of the address logon solution is reduced.
Whether or not the website is usedEmailAddress logon. If security questions are disabled, enter the user name directly at the address where the password is retrieved, and the system will automatically reset the user password to a new random password, and send it to the registered mailbox, which is very likely to be used by people with ulterior motives. That is to say, others can easily reset your password at any time, so that you cannot log on normally, the new password must be retrieved from your mailbox, which is obviously incorrect.
So how to makePasswordrecoveryControl SupportEmailWhat about the address and password? In fact, it is very simple:
First, SetPasswordrecoveryDisplay Properties of the control, prompting users to enterEmailAddress, not the user name:
Then, you only need to implementVerifyinguserThe event processing function can be processed as follows:
Protected VoidPasswordrecoverypolicverifyinguser (ObjectSender,LogincanceleventargsE)
{
Passwordrecovery1.username = membership. getusernamebyemail (passwordrecovery1.username );
If (passwordrecovery1.username = NULL | passwordrecovery1.username. Length = 0)
{
Passwordrecovery1.usernameinstructiontext = "the email address is entered incorrectly or is not registered. ";
E. Cancel = true;
}
}
In this way, you can reset the password and receive the new password only after you enter the correct email address.
Of course, to reset the password of the control, yourWeb. configYou must configure the correspondingMembershipTo send emails normally, you must configureMailsettingsNode, which is beyond the scope of this article. For details, refer to the content of this book:Http://book.csdn.net/bookfiles/488/10048816972.shtml
In this way, although the average users in the station do not know othersEmailAddresses cannot be maliciously reset, but acquaintances or people who have certain knowledge about a user still know the common usage of this user.EmailAddress (for example, you can get it from someone's blogEmailAddress). How can this problem be avoided?
I recommend that you send a warning to the user in the password retrieval email and display the submittedIPAddress, let them handle it by themselves:
Note: If you do not apply for password retrieval and accidentally receive this letter, your account security may be threatened.
Because your registered email address is required for password retrieval, your registered email address will not be disclosed on this site, so it is very likely that an acquaintance knows your email address.
We record the users who submit this application IP The address is 127.0.0.1 .
In addition, we strongly recommend that you change your registered email address immediately after logging on with the above information.