0

My client has provided very detailed specs for an application. Those specs include allowing a user to change their password, but do not include the user specifying their current password. I just tried writing the code to do this and it seems that a user's password cannot be changed without specifying the old/current password?

I found an article that suggests a way, but I am wanting to know opinions on if this is advisable or if there really isn't a better way.

Here's the link to that article. I don't think EFS is a concern, but then again I'm not really sure what that is.

Does anyone know a better way, or would this be acceptable?

Community
  • 1
  • 1
rwkiii
  • 5,716
  • 18
  • 65
  • 114
  • Assuming that they are already authenticated in some way, can't you just use the token they already provided? After all, it would be foolish to just take someone's word for it that they are user X, and allow them to change any user's password. – Scott Solmer Jun 23 '14 at 03:09
  • the article you linked is related to c++ and changing the windows password, has no relevance to asp.net identity – Claies Jun 23 '14 at 03:10
  • I could recommend several changes to the 86 page specs I've received, but this is for a global company that has spent months prior to my involvement in detailing exactly what they want. I agree with you and I may make a suggestion to them about this, but I'm trying to find out if there isn't another alternative first. What's wrong with that? ;) – rwkiii Jun 23 '14 at 03:11
  • Yea, I was looking it over and saw that it's not even applicable. – rwkiii Jun 23 '14 at 03:12
  • I came across [this article](http://stackoverflow.com/questions/19524111/asp-net-identity-reset-password) that seems to indicate passwords can be changed without specifying the current password, but I'm running into a problem and I think it's because the SecurityStamp is left as null after running the code. One user in that article said he had the same problem and was able to resolve it with a call to `UserManager.UpdateSecurityStampAsync(user.Id)` but that isn't working for me and I can't figure out why. Any clues? – rwkiii Jun 23 '14 at 05:19
  • Actually the Updated code in the article above does work. I had to make a couple of changes in my routine, but it works fine now. :D – rwkiii Jun 23 '14 at 05:29

0 Answers0