Password Reset for membership in Asp.net
Author: Yi Mingzhi
Date: Wednesday, June 13,200 7
The membership mechanism introduced in Asp.net 2.0 brings us a lot of convenience for web development, which reduces the workload when dealing with users, roles, and permissions in many project development projects. However, we may encounter a small problem during development:
We know that membershipuser has the following overload methods:
- Membershipuser. resetpassword (): reset the user password to an automatically generated new password.
- Membershipuser. resetpassword (string passwordanswer): reset the user password to an automatically generated new password.
The following descriptions are available in msdn:
ResetpasswordCall the membershipprovider. resetpassword method of the membership provider referenced by the providername property to reset the password of the membership user to a new automatically generated password. Then, return the new password to the caller.
If enablepasswordreset isFalseThe membership provider returns an exception.
If requiresquestionandanswer isTrue, You must use the resetpassword overload method with the password prompt answer as the parameter, and provide the password of the qualified user. If you need a password and provide an incorrect password, the membership provider will trigger membershippasswordexception.
Another method is membershipuser. changepassword (string oldpassword, string newpassword) must provide the original password, so here there is a conflict: we hope that users can use Security Questions and Answers to retrieve the password, what should I do if I want the Administrator to reset the password of a user? None of the above methods can be used directly, or use membershipuser. resetpassword () without security questions and answer verification, or you must know the answer or the original password. We know that security-related things are encrypted and often adopt one-way encoding, that is to say, it is impossible for us to easily know the user's answer and old password by reading the database data! Well, how can we solve this problem? Here is a small solution:
The membership database contains a stored procedure for setting the user password:
- CREATE PROCEDURE aspnet_Membership_SetPassword
- (
-
- @ApplicationName nvarchar(256),
-
- @UserName nvarchar(256),
-
- @NewPassword nvarchar(128),
-
- @PasswordSalt nvarchar(128),
-
- @CurrentTimeUtc datetime,
-
- @PasswordFormat int = 0
- )
Return Value: 0 is returned for success;
If the user does not exist, 1 is returned;
So OK, let's start solving our needs! The idea is simple: first set a user's default password, and then use membershipuser. changepassword (string oldpassword, string newpassword) as the old password to change the user's password. The following code is written on the premise that the dataaccess. runprocedure method has been implemented to execute the stored procedure:
- Public ClassMembershipsafe
- {
- Public Static StringResetpassword (StringUsername)
- {
- // Change the user password to an 8-bit random password that contains a special symbol
- ReturnResetpassword (username, membership. generatepassword (8, 1 ));
- }
- Public Static StringResetpassword (StringUsername,StringNewpassword)
- {
- // First change the user password to 123123
- Sqlparameter [] _ sp = {
- NewSqlparameter ("@ applicationname", membership. applicationname)
- ,NewSqlparameter ("@ username", username)
- ,NewSqlparameter ("@ newpassword", "1m4h3ezlakw1wbvttwyjijza33w = ")
- ,NewSqlparameter ("@ passwordsalt", "rcvy3pcccz9txw7nhp1maw = ")
- ,NewSqlparameter ("@ currenttimeutc", datetime. Now)
- ,NewSqlparameter ("@ passwordformat", 1)
- };
- BoolOP = dataaccess. runprocedure ("aspnet_membership_setpassword", _ Sp) = 0;
- // Use 123123 as the original password and change it to the new password
- Membership. getuser (username). changepassword ("123123", newpassword );
- ReturnNewpassword;
- }
- }
Note:The above code is for reference only. It does not necessarily meet the requirements of your specific project. For example, someone may continue to ask how to tell the user to change the password. The answer is email or phone notification, haha ~~