5.4. Recover Passwords for Users
Note: Let users recover their lost passwords automatically through email.
Users sometimes (in reality, a lot of times!) forget their passwords, and you need to have a mechanism to help them recover their passwords easily. One of the most common ways is for the site to ask for your email address so that it can send you the password. In ASP.NET 2.0, this functionality is accomplished by the PasswordRecovery control.
The PasswordRecovery control allows users to retrieve their forgotten passwords via email and makes it a snap to implement this functionality for your site.
Password recovery makes sense only if you store the password as plain text and not its hashed value. However, by default, the settings in the machine.config file specify that all passwords be hashed before they are stored in the member database. machine.config also disables password retrieval by default.
To store the user's password in plain text, add the following to Web.config:
... <system.web> <membership defaultProvider="SqlProvider" userIsOnlineTimeWindow="15"> <providers> <clear /> <add name="SqlProvider" type="System.Web.Security. SqlMembershipProvider" connectionStringName="LocalSqlServer" applicationName="chap05-SecurityControls" enablePasswordRetrieval="true" enablePasswordReset="true" requiresQuestionAndAnswer="true" requiresUniqueEmail="true" passwordFormat="Clear" /> </providers> </membership> ...
Specifically, you are clearing all the Membership Providers and then adding a new SqlMembershipProvider. Note that you need to set the enablePasswordRetrieval and passwordFormat attributes (to TRue and Clear, respectively) in order to allow passwords to be retrieved.
If you set the passwordFormat as Hashed, then the enablePasswordReset must be set to false.
5.4.1. How do I do that?
In this lab, you will use the PasswordRecovery control to allow users to recover their forgotten passwords. You will extend the Default.aspx page created in the earlier lab with the PasswordRecovery control so that users who have forgotten their passwords can retrieve them through email.
Using the project created in the last lab (C:\ASPNET20\chap-5-SecurityControls), drag and drop the PasswordRecovery control onto Default.aspx (see Figure 5-18).
Figure 5-18. Adding the PasswordRecovery control to the Default.aspx form
Set the From and Subject properties from the MailDefinition node in the Properties window of the PasswordRecovery control (see Figure 5-19).
Figure 5-19. Configuring the PasswordRecovery control
Apply the Elegant scheme to the PasswordRecovery control (through the Auto Format... link in the PasswordRecovery Tasks menu).
Press F5 to test the application. You will first be prompted to enter your username, followed by the question that you set when you first registered. If your answer matches the one stored in the database, an email is sent to you; otherwise, you have to try again. The dialog is shown in Figure 5-20.
Figure 5-20. Recovering lost passwords
Tip: You need to have SMTP service configured on your machine for the PasswordRecovery control to send an email.You can configure SMTP service on your machine by using the ASP.NET Web Application Administration Application Configure SMTP email settings.
For security reasons, it is not a good idea to send a user's password through email. Hence, you need to carefully consider this option before you decide to use it.
5.4.2. What about...
...resetting a password?
You will learn how to reset a user password in the lab Section 5.8, later in this chapter.
5.4.3. Where can I learn more?
To see the various methods and properties supported by the PasswordRecovery control, check out the MSDN Help topic "PasswordRecovery Members."
For more information on SMTP, check out the following SMTP chapter from the book Exchange Server 2003 Transport and Routing Guide: