Generate temporary URL to reset password

Question

I am looking to implement a Forgot Password feature on my website. I like the option where an email containing a temporary one-time use URL that expires after some time is sent to the user.

I have looked at the following pages to get these ideas but I am not sure how to implement this using ASP.NET and C#. As one of the users indicated, if I can implement this without storing this information inside the database, that will be ideal. Please advise.

http://stackoverflow.com/questions/1306942/password-reset-by-emailing-temporary-passwords

Thanks.

Answer 1

Depending on your needs, you could encrypt information, in a format similar to the following

(UserId)-(ExpireDate)

Encrypt the data, make that the link, then decrypt the data and take action from there...

Crude, but most likely usable, and not requiring DB usage

Answer 2

Here, the System.Guid class in your friend, as it will generate a unique (well, unique enough) 128-bit number:

• Generate a new Guid ( System.Guid.NewGuid() )
• Store that Guid somewhere (Application object maybe?)
• Send a custom URL in an email with that Guid
• When the user hits the site, make them enter the password you sent in the email
• If the passwords match, go ahead and force them to enter a new password

Answer 3

Probably the easiest way is going to be to modify your users table to add 2 extra columns, OR if you don't want to modify the existing table you could add a new dependent table called "UserPasswordReset" or something like that. The columns are like this:

PasswordResetToken UNIQUEIDENTIFIER,
PasswordResetExpiration DATETIME

If you go with the additional table route, you could do also add the UserID column, make it a primary key and a foriegn key reference back to your users table. A UNIQUE constraint would also be recommended. Then you simply use a Guid in your asp.net application as the token.

The flow could be something like this:

1. User requests password reset for their account
2. You insert a new record in the table (or update their user record) by setting the PasswordResetExpiration to a date in the future (DateTime.Now.AddDays(1)), and set the token to Guid.NewGuid()
3. Email the user a link to your ResetPassword.aspx page with the guid in the query string (http://www.yoursite.com/ResetPassword.aspx?token=Guid-here)
4. Use the ResetPassword.aspx page to validate the token and expiration fields. (I.E. Make sure DateTime.Now < PasswordResetExpiration)
5. Provide a simple form that allows the user to reset this password.

I know you wanted to avoid modifying the database, but it really is probably the simplest method.

Answer 4

I used a Hashing Class to create unique automatic logins made up of the current date/time and the users email address:

string strNow = DateTime.Now.ToString();
string strHash = strNow + strEmail;
strHash = Hash.GetHash(strHash, Hash.HashType.SHA1);

get the Hash Class from: http://www.developerfusion.com/code/4601/create-hashes-md5-sha1-sha256-sha384-sha512/

Then just take it from the URL using:

if (Request.QueryString["hash"] != null)
{
                //extract Hash from the URL
                string strHash = Request.QueryString["hash"];
}

Answer 5

@Alex

You can also use System.Security.Cryptography classes in .NET for the hash algorithms. For example:

using System.Security.Cryptography;
...
var hash = SHA256CryptoServiceProvider.Create().ComputeHash(myTokenToHash);
...