User resets password (email is sent with new password) user logs in with new password how to redirect to change password page?

I have a page with the login control, another page with a reset password control and another page with a change password control.

Login and reset work perfectly. However what I want is very simple. Once the user recieves the email with their new generic password I would like the next time that user logins in (using the new generic password) to automatically take them to the change password page. I am sure there is an easy way to do this and I just haven't figured it out. I am using VS2008. Thank you for your help!

Shawn

0
shawn
4/29/2009 2:57:37 PM
asp.net.security 27051 articles. 1 followers. Follow

12 Replies
2548 Views

Similar Articles

[PageSpeed] 53

The simplest way would be to update the aspnet_Membership table for that user when password reset is done, set the Comments field to something like "Change Password". On our web page, check for this the first, if it is set to "Change Password", send the user to change password page and set the Comments field to "Password Changed".

ResetPassword.aspx: 

protected void ChangePassword1_ChangedPassword(object sender, EventArgs e)
{
    MembershipUser userInfo = Membership.GetUser(User.Identity.Name);
    userInfo.Comment = "Password Changed";
    Membership.UpdateUser(userInfo);
}
    
protected void uxResetPassword_Click(object sender, EventArgs e)
{
    if (uxNewPassword.Text.Length == 0)
    {            
        uxMessage.Text = "New Password field cannot be empty.";
        return;
    }
    string username = uxUserList.SelectedItem.Text;
    string password = uxNewPassword.Text;
    try
    {            
        MembershipUser userInfo = Membership.GetUser(username);
        userInfo.ChangePassword(userInfo.ResetPassword(), password);
        userInfo.Comment = "Change Password";
        Membership.UpdateUser(userInfo);
        uxMessage.Visible = true;
        uxMessage.Text = "Password reset successful.";            
    }
    catch (System.Exception ex)
    {
        uxMessage.Visible = true;
        uxMessage.Text = "Password reset failed.<br />";
        uxMessage.Text += ex.Message;
    }
}
Default.aspx: 
void Page_Load(object sender, EventArgs e)
{       
     // Send users to ResetPassword page on first login        
        
     if (HttpContext.Current.User.Identity.IsAuthenticated)
     {
         MembershipUser userInfo = Membership.GetUser(HttpContext.Current.User.Identity.Name);
         if (userInfo.Comment == "Change Password")
         {
             Response.Redirect("~/ResetPassword.aspx");
         }
     }
}
  
Thanks,
Max
Let Me Google That For You!
0
bullpit
4/29/2009 3:12:24 PM

Here are the things I did for my page:

- Forgot password: when user enter their login name, I flagged the user table using a GUID column, grab the GUID from the table for that user, and send it with the email as a link: ex:

please click here to reset password:

http://www.whatever.com/ResetPassword.aspx?guid=fsdgi236489*7892hu

once the user click on the link, in the ResetPassword page load, validate the GUID querystring to the GUID in the table for that user, then user can reset their password.

Once new password is saved, reproduce new GUID in the table, so user won't be able to access the page using the old GUID.

Good luck

 


Utomo IT Family
0
mutomo
4/29/2009 3:23:56 PM

I am a little confused about your code here. It looks like the resetpassword.aspx page you have should actually be changepassword.aspx. I am guessing it is for changing not reseting since you have error messages setup to enter a newpassword. In the resetpassword function all you do is enter your username and then your answer to your security question and it sends a generic password to your email. All I need to know how to do is make it update the user table to add that comment line once this happens. All of the data validation is in place using the .net resetpassword control. Like this;

resetpassword.aspx:
 

<asp:PasswordRecovery ID="PasswordRecovery1" runat="server" BackColor="#EFF3FB" 
        BorderColor="#B5C7DE" BorderPadding="4" BorderStyle="Solid" BorderWidth="1px" 
        Font-Names="Verdana" Font-Size="Medium" SuccessPageUrl="~/login.aspx">
        <MailDefinition From="shawn.bordeaux@justrightautosales.com" 
                        Subject="Password Reset">
        </MailDefinition>
        <InstructionTextStyle Font-Italic="True" ForeColor="Black" />
        <SuccessTextStyle Font-Bold="True" ForeColor="#507CD1" />
        <TextBoxStyle Font-Size="0.8em" />
        <TitleTextStyle BackColor="#507CD1" Font-Bold="True" Font-Size="0.9em" 
            ForeColor="White" />
        <SubmitButtonStyle BackColor="White" BorderColor="#507CD1" BorderStyle="Solid" 
            BorderWidth="1px" Font-Names="Verdana" Font-Size="0.8em" ForeColor="#284E98" />
    </asp:PasswordRecovery>
 and changepassword.aspx page:

 
    <asp:ChangePassword ID="ChangePassword1" runat="server" BackColor="#EFF3FB" 
        BorderColor="#B5C7DE" BorderPadding="4" BorderStyle="Solid" BorderWidth="1px" 
        Font-Names="Verdana" Font-Size="0.8em" Height="169px" Width="441px">
        <CancelButtonStyle BackColor="White" BorderColor="#507CD1" BorderStyle="Solid" 
            BorderWidth="1px" Font-Names="Verdana" Font-Size="0.8em" ForeColor="#284E98" />
        <PasswordHintStyle Font-Italic="True" ForeColor="#507CD1" />
        <ContinueButtonStyle BackColor="White" BorderColor="#507CD1" 
            BorderStyle="Solid" BorderWidth="1px" Font-Names="Verdana" Font-Size="0.8em" 
            ForeColor="#284E98" />
        <ChangePasswordButtonStyle BackColor="White" BorderColor="#507CD1" 
            BorderStyle="Solid" BorderWidth="1px" Font-Names="Verdana" Font-Size="0.8em" 
            ForeColor="#284E98" />
        <TitleTextStyle BackColor="#507CD1" Font-Bold="True" Font-Size="0.9em" 
            ForeColor="White" />
        <TextBoxStyle Font-Size="0.8em" />
        <InstructionTextStyle Font-Italic="True" ForeColor="Black" />
    </asp:ChangePassword>

 So what do I need to add to that to check if the password has been reset? I have the code in a seperate file example; changepassword.aspx.vb

Thanks for your help!

0
shawn
4/29/2009 11:22:36 PM

I have never used PasswordRecovery control, but when I look at the events of that control, only SendingEmail appeals to me for this kind of work. What I wanted to point out in  my code was updating the Membership table. I believe you can take that piece of code and stick it in SendingEmail event. This event is fired when all the validations are done and just sending email is pending.


Thanks,
Max
Let Me Google That For You!
0
bullpit
4/30/2009 12:20:04 PM

Okay, I understand my problem now. Your code is in C# and I am using VB.  I will look how to convert it to VB and I think it should work. The email code is auto generated using a .dll file so I will just do it on the click of the submit for reset button to update the user table with the string.

 

0
shawn
4/30/2009 2:12:43 PM

Can you check this out to see where I am going wrong. I added the below code to my resetpassword.aspx.vb code behind page. Here is the code;

 

 Protected Sub PasswordRecovery1_SendingMail(ByVal sender As Object, ByVal e As System.Web.UI.WebControls.MailMessageEventArgs) Handles PasswordRecovery1.SendingMail
        Dim userInfo As MembershipUser = Membership.GetUser(User.Identity.Name)
        userInfo.Comment = "Password Changed"
        Membership.UpdateUser(userInfo)
    End Sub

 I recieve an error:Object reference not set to an instance of an object.
pointing to the userInfo.Comment = "Password Changed" Line.

what am I doing wrong? Thank you!!

0
shawn
4/30/2009 2:54:57 PM

It looks like userInfo object is null, reason being it was not able to create an object for the logged in user. Can you step thru the code to see if the User.Identity.Name has anything in it?


Thanks,
Max
Let Me Google That For You!
0
bullpit
4/30/2009 3:31:56 PM

Here are my pages;

password_reset.aspx
 

<%@ Page Language="VB" MasterPageFile="~/MasterPage.master" AutoEventWireup="false" CodeFile="password_reset.aspx.vb" Inherits="Default2"%>

<asp:Content ID="Content1" ContentPlaceHolderID="head" Runat="Server">
</asp:Content>
<asp:Content ID="Content2" ContentPlaceHolderID="ContentPlaceHolder1" Runat="Server">
 <div class="loginCenter">
    <asp:PasswordRecovery ID="PasswordRecovery1" runat="server" BackColor="#EFF3FB" 
        BorderColor="#B5C7DE" BorderPadding="4" BorderStyle="Solid" BorderWidth="1px" 
        Font-Names="Verdana" Font-Size="Medium" SuccessPageUrl="~/login.aspx">
        <MailDefinition From="shawn.bordeaux@justrightautosales.com" 
                        Subject="Password Reset">
        </MailDefinition>
        <InstructionTextStyle Font-Italic="True" ForeColor="Black" />
        <SuccessTextStyle Font-Bold="True" ForeColor="#507CD1" />
        <TextBoxStyle Font-Size="0.8em" />
        <TitleTextStyle BackColor="#507CD1" Font-Bold="True" Font-Size="0.9em" 
            ForeColor="White" />
        <SubmitButtonStyle BackColor="White" BorderColor="#507CD1" BorderStyle="Solid" 
            BorderWidth="1px" Font-Names="Verdana" Font-Size="0.8em" ForeColor="#284E98" />
    </asp:PasswordRecovery>
</div>
</asp:Content>

 password_reset.aspx.vb

Partial Class Default2
    Inherits System.Web.UI.Page

    Protected Sub PasswordRecovery1_SendingMail(ByVal sender As Object, ByVal e As System.Web.UI.WebControls.MailMessageEventArgs) Handles PasswordRecovery1.SendingMail
        Dim userInfo As MembershipUser = Membership.GetUser(User.Identity.Name)
        userInfo.Comment = "Password Changed"
        Membership.UpdateUser(userInfo)
    End Sub
End Class

 So the user logins in and if they have forgotten their password they will be directed to the reset_password.aspx page. The control asks for their user name, when they click submit it then asks them for the answer to their "Security Question" once they hit submit if it matches the record in the table it generates the email with a new temp password and hopefully insert "Password Changed" field into the membership table.

Thanks!

0
shawn
4/30/2009 3:44:17 PM

I apologize. The reason why User.Identity.Name is empty is because the user is not logged in yet. Instead of User.Identity.Name, try using PasswordRecovery1.UserName.


Thanks,
Max
Let Me Google That For You!
0
bullpit
4/30/2009 3:51:11 PM

Thank you! Worked great! Now to reference the comment line when logging in i could do something like;

 

    Protected Sub LoginButton_Click(ByVal sender As Object, ByVal e As System.EventArgs)

        Dim userInfo As MembershipUser = Membership.GetUser(User.Identity.Name)
        If userInfo.Comment = "Password Changed" Then
            Response.Redirect("change_password.aspx")
        End If

    End Sub

 This would be the login button on the login.aspx page so once the user types their username and new generic password and click the login button it checks the comment field of the memership page to see if it matches "Password Changed" if so then re-direct to change_password.aspx so they can change the password to something more personal.

Thanks!

0
shawn
4/30/2009 4:04:36 PM

Nevermind, I figured that part out. I added to the on page load on my default.aspx.vb page and it works now. Thank you for your help!

0
shawn
4/30/2009 4:21:16 PM

You are welcome.


Thanks,
Max
Let Me Google That For You!
0
bullpit
4/30/2009 5:00:16 PM
Reply:

Similar Artilces:

password recover ? it sent me new user password, how can i get user password ? (not new user password )
hi password recovery sent me new user password, how can i get user password ?(not new user password) it also changed user password to new user password. i want that it should not change user password how can i do this ? SincerelyMark as me if my question or my answer can be helpful for you :) Refer to these two articles.http://msdn.microsoft.com/en-us/library/ms178335.aspxhttp://quickstarts.asp.net/QuickStartv20/aspnet/doc/ctrlref/login/passwordrecovery.aspx Hope this helps.  hi thank you for your reply :) i have deleted enablePasswordReset="t...

Password, Password, Password
How can I login once per session and not have to reenter my root password every time I open YaST, etc. I believe in good security so I use strong passwords and I am also new to Linux which requires a lot of toying around so I have to enter my password over and over every session. -- OpenSourceRules ------------------------------------------------------------------------ -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 You could setup sudoers so you could call 'sudo /path/to/application' and have that NOT prompt you for a password. 'man sudoers' for more...

Change Password page after user resets his NT password
Hi - We are synchronising user passwords between AD and IDM using AD driver. We are using Microsoft Complexity Password policy with Password Expiration Time as 45 days. When a user's password expires after 45 days, he is forced to change his NT password. After the user changes his NT password, he logs into User application with the new password set in NT. This time he is asked to change his password. (i.e) According to IDM the user's password is still expired. Is this an expected behaviour? If not let us know what could be the possible cause for this issue? Follow...

When a user changes an expired password, the new password expiration date reverts to..
When a user changes an expired password, the new password expiration date reverts to the day they changed their password. I am in the process of upgrading to Novell eDirectory Version 8.8 SP2 from Novell eDirectory Version 8.7.3.9 SMP. I have 12 servers, with 4 R/W. HELP ! Thanks Jeff -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 A couple options come to mind but we need more information. How (exactly, with details) are they changing their passwords? I'm assuming you have Universal Password (UP) enabled. First, if passwords are changed via some interface that uses ...

How to force Password Recovery control to send new password to user?
I have a strange situation.  When first creating my app, I originally didn't require my test users to enter a security Question and Answer.  I now see the necessity for these and have made the necessary changes in web.config.But here's the catch: If such a user tries to use the Password Recovery mechanism, it fails because there is no question and answer.  So I'm wondering if there's a way for me to force the PasswordRecovery control to reset the user's password and send the appropriate e-mail?Robert Robert WernerVancouver, BCwww.mwtech.blogspot.comwww.pock...

Create a new user and email then user name and password
Hello I am using CreateUser method to create a new user when a new person is inserted into a database. (On FormView_ItemInserted event) I would like  to then email the new user thier username and password.  Can anyone help with how to do this please. Thanks  there are bunch of examples on the internet.  Here is one from scott that is very good.http://aspnet.4guysfromrolla.com/articles/072606-1.aspx Peter Kellnerhttp://73rdstreet.com and blogging athttp://PeterKellner.netMVP, ASP.NET Thanks for the link.But what I want to achieve is to send a username an...

Detect password expiration with AD user store and password change WEB-page
Hi! We use AD as the user store for our NAM solution... Do anyone know if there is a good, free, web solution to change AD passwords? (and that could be used in the redirect URL in NAM?) Regards, Toralf Lote Toralf Lote wrote: > Hi! > > We use AD as the user store for our NAM solution... > Do anyone know if there is a good, free, web solution > to change AD passwords? (and that could be used in the redirect URL > in NAM?) Have you tried using the one from forge ? Theoratically it might work.... http://developer.novell.com/wiki/index.php/Pwm ...

change password control extract new password
Hi, I am using the Change Password Control on my site and what I'm trying to do is when the user changes their password successfully be able to send that password to a field in my database.  Basically If password change is successful, extract password in plain text.  How would this be done.  I'm not familiar at all with this control?    Thanks! ajcool123:I am using the Change Password Control on my site and what I'm trying to do is when the user changes their password successfully be able to send that password to a field in my database.  B...

Emailing password to user without doing Password Recovery
Hi all,Is there a way I can send a user's password to him/her by email without invoking the Password Recovery mechanism (and in the process resetting the password)?I'm trying to do a "welcome note" which reads something like:"Welcome to XYZ portalYou can now log in at the following:Website: http://www.mysite.comUsername: multiplex7777Password: myunencryptedpassword "My passwords are currently encrypted in my database. Any help would be much appreciated. T use this mailer class:using System.Net.Mail; public class Mailer { /// <summary> /// Sends an mail message /// &l...

Administrative Password Change not expiring user password
We are on the precipice of deploying a new IDM solution linking an existing eDir to a new AD via a new IDV. We have run into a small stumbling block. NOS tree eDir 8.3.7.9/IDM 3.5.1/SSP2.06 IDV Tree eDir 8.8.3/IDM 3.6 AD W2K3/Forest 2K3 Password Policy Universal Password Options Enable Universal Password true Enable the Advanced Password Rules true Synchronize NDS password when setting Universal Password true Synchronize Simple Password when setting Universal Password false Allow user to retrieve password true Allow admin to retrieve passwords false Sync...

Password Recovery
Hi guys. I'm using the PasswordRecovery control to let the user who forgot their password to reset their password. I didn't like the default way where the system emails the new password to the user after answering the secret question. Instead, after verifying the secret question and answer, I want the user to type in the new password. The problem is the Memership API doesn't have any methods that update the password. I couldnt use MembershipUser.ChangePassword because it requires the old password, or MemeberhipUser.ResetPassword because it generates the new password by itself. I wanted...

Universal Password
What does this Advanced Setting option mean? "Allow the user to initiate password change" Don -- D.Lohr Technical Services James Madison University ++ Bad command or file name ++ D.Lohr wrote: > "Allow the user to initiate password change" == Allow the user to change password. -- Peter eDirectory Rules! ...

Mac users can change simple password overriding account setting disallowing password change
Our environment: NW 6.0 SP3, AFPTCP v. 1.01r., Macintosh OS 7, 8, and 9. My problem: Mac users are able to change the simple password despite account settings in NDS disallowing password change. We load AFPTCP without the "cleartext" option. Is there a solution for this? Thank you for any suggestions you may provide. Milo, It appears that in the past few days you have not received a response to your posting. That concerns us, and has triggered this automated reply. Has your problem been resolved? If not, you might try one of the following options: - Do a sear...

Using Windows Authentication
I have DNN 2.1.2 set up to authenticate with windows automatically. Every once in a while when a user has to change their password DNN stops accepting thier password automatically and it prompts them for it. Sometimes clearing temp files/cookies etc will fix the issue but lately it has been a pain in the a$$ for some users. I can log into the same machine or run Internet Explorer as another user and it goes into DNN just fine. Anyone have any ideas? Hi I always thought this was quite normal. If an users password expires on web apps it refuses to authenticate until they change ...

Web resources about - User resets password (email is sent with new password) user logs in with new password how to redirect to change password page? - asp.net.security

One-time password - Wikipedia, the free encyclopedia
A one-time password (OTP) is a password that is valid for only one login session or transaction. OTPs avoid a number of shortcomings that are ...

Oregon To Consider Bill Blocking Employers From Demanding Applicants’ Facebook Passwords
The Oregon House of Representatives will hear a bill Friday that would prevent employers from demanding that job applicants reveal their passwords ...

Keeping Passwords Secure
The Facebook Security team has always kept a close eye on data breach announcements from other organizations. Theft of personal data like email ...

New Facebook Security Features: One-Time Passwords, Security Info
Facebook has launched two new security features to help users stay in control of their accounts. Users can now receive a one-time password from ...

Password app 1Password gets 3D Touch support and more
If youre a 1Password user on an iPhone 6s or iPhone 6s Plus, the latest update to the app brings great new 3D Touch features for you. There are ...

Time Warner and Linode report possible password breaches
(credit: Comcast) Time Warner Cable is warning that login credentials for 320,000 customers may have been stolen. The TV cable and Internet ...

Trend Micro Password Manager could have exposed all of your passwords to hackers
People turn to security tools to, obviously, improve security. Antivirus tools take care of malware, firewalls manage network and internet traffic, ...

Time Warner Cable says up to 320,000 customers may have had their email passwords stolen
Time Warner Cable says up to 320,000 customers may have had their email addresses compromised. Produced by Lamar Salter Follow BI Video: On ...

Time Warner Cable Warns 320,000 Customers Their Email & Passwords May Have Been Breached
Hundreds of thousands of Time Warner Cable customers received alerts this week telling them to change their email passwords after law enforcement ...

Partners Stunned By Cisco Password Snafu
Partners Stunned By Cisco Password Snafu CRN Partners are scratching their heads as Cisco reveals that it shipped servers with the wrong default ...

Resources last updated: 1/15/2016 9:49:30 PM