0

I'm using ASP.NET MVC5 Identity and want users to be able to reset their password just by entering their email.

There is only a fixed number of users and they are already set up, including an email adress. If a user comes to the site, they may click the link "Send my Password" which should send the valid password to the depositted email.

I guess there is no easy way for the admin to receive the current password, so what I thought was necessary is to reset the password and then create the mail:

    [HttpPost]
    [AllowAnonymous]
    public JsonResult RecoverPassword(string usersEmail)
    {
        try
        {
            //"db" is my Context..
            var um = new UserManager<ApplicationUser>(new UserStore<ApplicationUser>(db));
            var user = db.Users.Where(x => x.Email == usersEmail).First();
            Random rnd = new Random();
            int rndNumber = rnd.Next(100, 999);
            string Password = "MostSecurePasswordInTheWorld" + rndNumber + ".";
            um.RemovePassword(user.Id);
            um.AddPassword(user.Id, Password);
            db.SaveChanges();
            //send mail
            ...

This might have some weaknesses (everybody who knows a valid email of some user might reset it, the password is sent in the mail, the auto-generated password is weak etc.). But the biggest weakness is .. the password just does not get reset.

I don't encounter any errors in debugging, though, and am kind of clueless. What might be the problem here? Is the "user" I'm getting from 

var user = db.Users.Where(x => x.Email == usersEmail).First();

not the user-object needed here?

peter
  • 2,103
  • 7
  • 25
  • 51
  • I would strongly advise against changing passwords without any kind of verification (ie, sned link to user first, once they respond, allow them to change the password.. this requires no passwords sent in email and doesn't allow users to prank each other by changing their passwords without authentication) – Erik Funkenbusch May 18 '14 at 15:19

3 Answers3

1

You need to hash your password before saving it to database. Use the UserManager class for accessing password saving functionality, rather than trying to directly manipulate it using the entity class.

I would rather also suggest you send a link to your users where they can reset their passwords themselves to one of their own choosing.

Typically how I have implemented it in my systems is to keep a table in database for all password reset emails sent. The table contains a datetime timestamp field as well as a confirmation number, which is basically a randomly generated GUID, and of course a field for the target email address. You can then put the confirmation number and target email address in the query string of the reset link contained within your email. When the user clicks on the link, your system checks whether it is a valid confirmation number email pair and whether it has expired, before continuing to prompt your user for a new password.

1

One of the common problem in identity usermanager functionality is that you don't have access to the dbContext it's using, thus you can't persist what you want.

Have a look at this SO answer which shows how to make the usermanager dbContext easily available

Updating user data - ASP.NET Identity

Community
  • 1
  • 1
stackunderflow
  • 3,811
  • 5
  • 31
  • 43
0

Here is an article on adding password reset using SimpleMembership using the open source project called SimpleSecurity. This provides the information on the general design of a password reset in ASP.NET MVC. The same functionality has been implemented in the SimpleSecurity project using ASP.NET Identity. You can find the source code here for the controller. Take a look at the ResetPassword method.

Kevin Junghans
  • 17,475
  • 4
  • 45
  • 62