Forms Auth-pwd recovery-I'd rather the user reset it on the web and not send email

Question

Question 1 - I'm wanting to give the user the ability to reset their password only without an email and generated password. The user verifies themselves against our internal database by a custom form a wrote. Then, I'd like to prompt them for username and security q&a. I don't know how to do the security QA so i decided to customize the password recovery control. I don't want it to send an email with a new password. Rather, if they get the username and question right, i want to send them to a password reset page.

Is there any way to ask them for the security question and compare either by writing custom code or using a prebuilt component. Also, how do I set the password once they reset it?

Question 2- I'm working on a 'Forgot Username'. It will verify against our database firstly. Based on what they enter, I'll be able to match up and find the username and userid in the forms authentication database. I'd like to ask them the security question but don't know how to create the hash from what they enter to compare what's in the aspnet database for the user. Is there a way to do this?

thanks!!!

Answer 1

If you are using asp.net forms authentication it already provides the mechanisms for a user to reset a password by using a security question. This can be configured in the Web.config and used with a Password Recovery control, part of ASP.net login controls.

Setting in web.config under your membership providers section:

requiresQuestionAndAnswer - When set to true the Question view will be required for the user's password to be retrieved or reset. When set to false the Question view is not displayed to the user.

Using the Password Recovery control here is sample code:

  <asp:PasswordRecovery ID="PasswordRecovery1" runat="server">
  <QuestionTemplate>
                <h2>Forgot Password</h2>
                Hello <asp:Literal ID="UserName" runat="server"></asp:Literal><br />
                Please answer your password question : <br />
                <asp:Literal ID="Question" runat="server"></asp:Literal>
                <asp:TextBox ID="Answer" runat="server"></asp:TextBox><br />
                 <asp:Button ID="SubmitButton" runat="server" Text="Send Answer By Mail" 
CommandName="Submit"/><br />
                  <asp:Literal ID="FailureText" runat="server"></asp:Literal>
    </QuestionTemplate>
    </asp:PasswordRecovery>

For more information on using the ASP.net Login controls go to http://quickstarts.asp.net/QuickStartv20/aspnet/doc/ctrlref/login/default.aspx

As far as not sending the email, you can cancel the email by adding OnSendingMail="CancelEmail" in the Password recovery control and then add code behind like below and then just display the new reset password on the screen.

Sub CancelEmail(ByVal sender As Object, ByVal e As MailMessageEventArgs)
        e.Cancel = True
End Sub

Hope that helps!