views:

23

answers:

1

I'm looking for guidence on writing a custom password reset UI, but it must fit the Provider 'Pattern', or degrade silently to built-in defaults. E.g. my Reset Control must collect extra information, and perform differently to the standard Password Recovery Control. It must close as possible use the standard MembershipProvider interface for standard functions, and only use an extended interface for the non-standard stuff.

I'd like some reading on issues such as, what must I ask the Membership Provider for, and what must I do myself. What must I tell the provider (service?) about what I do? Etc.

A: 

Explicit guidance on a very sensitive and complex issue like this is more of a consultation job than a SO question but let me say this:

Your best source would be to read the SPROCS in ASPNETDB along with the actual provider code, which is available in the ASP.Net 2.0 Provider Toolkit Samples.

The behaviour is not trivial. Line for line, the code and sql dealing with managing passwords makes up the largest portion of the entire provider stack.

Just as an example:

There are 2 lockout time windows, invalid password attempts and invalid password q/a reset attempts, the attempts on each are merged to be compared against a single maxInvalidPasswordAttempts lockout threshold.

And that just scratches the surface of the password management logic. So truly, you will be your own best guide after reading the relevant sections of the SqlMembershipProvider source and the sprocs in the db.

Sky Sanders