1

I am using ASP.NET MVC with ASP.NET membership.

Following best practices for 'I forgot my password logic' I want to do the following :

  • send the user an email with a link to a unique, hidden URL that allows him to change his password
  • asking for a password reset does NOT reset the password. you need the unique link.

I'm looking for suggestions on the best way to generate this URL, make it valid only temporarily and then validate it. I think the ASP.NET membership standard way is to have a 'security question' which is really a lousy way of doing it.

What would be the best way to generate and validate such a link. SHould I just generate a GUID and put it in the user's profile? I dont think there is any other pre-built right?

Community
  • 1
  • 1
Simon_Weaver
  • 140,023
  • 84
  • 646
  • 689
  • I don't believe there is nothing built-in into ASP.NET Membership that will generate a temporary url to reset the password. Why do you think that the security question is a "lousy" option? it is simple and arguably more secure than sending a link to an inbox... which might never get to the intended recipient. – Ricardo Sanchez Nov 11 '09 at 06:56
  • Because I'm much more likely to be able to gurss someones pets name than have access to their email. Apparently even sarah palin fell foul of this problem. – Simon_Weaver Nov 11 '09 at 07:37

1 Answers1

0

Your solution is fine... Generating a GUID is OK for temporary password resets. Just be sure you aren't generating it until the user asks for it, then add it to their profile with a timestamp... and give it a very short window of opportunity, like an hour. Reset/clear it when the user accesses the URL.

Bryan
  • 8,748
  • 7
  • 41
  • 62