Log In User with Parameters when Changing Password_问答_开发者

开发者 https://www.devze.com 2023-04-04 21:36 出处：网络

I have an ASP.NET App in which want to send an email to a user that presses a Recover Password button that resets the user\'s password and then sends a link to the user that when followed will log the

相关专题：asp.net

I have an ASP.NET App in which want to send an email to a user that presses a Recover Password button that resets the user's password and then sends a link to the user that when followed will log the user in with a new password and bring them to the Chang开发者_Go百科e Password page where they must resent their password.

I'm able to reset the password and get the new randomly generated password that I send back to the user in an email. However, when the user follows the link back with the UserName and pw parameters, the system does not seem to log them in,

Here's the code I am using on the load event that does not seem to work:

try
{
    string sUserName = Request.QueryString["UserName"].ToString();
    string sPw = Request.QueryString["pw"].ToString();

    if (Membership.ValidateUser(sUserName, sPw))
    {
        //Log the user in???
        FormsAuthentication.Authenticate(sUserName, sPw);
    }
}

catch (Exception r)
{
    string sMessage = r.Message;
}

Any help in logging the user in with username and password parameters would be greatly appreciated.

You can use FormsAuthentication.SetAuthCookie() :

if (Membership.ValidateUser(sUserName, sPw))
{
    FormsAuthentication.SetAuthCookie(sUserName, true);
}

In your sample code you are retrieving the user name and password from the query string - this is very bad practice as any observer will see it in plain text. At least use a POST for these values and put them in the body (i.e with a form POST) and always use HTTPS at least for your login page.

use the following code.

if (Membership.ValidateUser(sUserName, sPw))
{
    FormsAuthentication.SetAuthCookie(sUserName, true);
    Response.Redirect("ChangePassword.aspx");
}

FormsAuthentication.Authenticate is almost same as FormsAuthentication.ValidateUser. They just validate user authentication. SetAuthCookie creates the authentication ticket(login).

This is how (IMO) reset password functionality should work:

User clicks button saying "Forgot Password".
In your code store a random GUID in the DB.
Send the user an email, with the GUID as a link in the email, as well as their userid, e.g:

http://yoursite.com/user/reset?guid=a21312738&userid=213123

On the incoming page, read the userid from the QS, and fetch the user from the DB by this value.
Compare the stored GUID from the GUID in the QS. If success, render a form that allows the user to change the password via an HTTPS POST.
In the POST action, change the user's password and sign them in.

You could also go one step further and store an expiration date for the GUID (e.g user must change their password in 24 hours).