Chapter 8

Dealing with passwords

Many of us seem to spend our lives online and have username/password combinations for many different Web sites on the Internet. For this reason, end users forget passwords or want to change them every so often. ASP.NET 2.0 provides a couple of new server controls that work with the membership service so that end users can either change their password or retrieve a forgotten password.

The ChangePassword server control

The ChangePassword server control enables end users to change their password directly in the browser. Listing 8-15 shows a use of the ChangePassword control.

Listing 8-15: Allowing users to change their passwords

<%@ Page Language=”VB” %>

<html xmlns=”http://www.w3.org/1999/xhtml” > <head runat=”server”>

<title>Change Your Password</title> </head>

<body>

<form id=”form1” runat=”server”>

<asp:LoginStatus ID=”LoginStatus1” Runat=”server” /> <p><asp:ChangePassword ID=”ChangePassword1” Runat=”server”>

</asp:ChangePassword><p>

</form>

</body>

</html>

This is a rather simple use of the <asp:ChangePassword> control. Running this page produces the results shown in Figure 8-11.

Figure 8-11

The ChangePassword control produces a form that asks for the previous password. It also requires the end user to type the new password twice. Clicking the Change Password button launches an attempt to

244

Membership and Role Management

change the password if the user is logged in. If the end user isn’t logged into the application yet, he or she is redirected to the login page. Only a logged-in user can change his or her password. After the password is changed, the end user is notified (see Figure 8-12).

Figure 8-12

Remember that end users are allowed to change their passwords because the enablePasswordReset attribute of the membership provider is set to True. To deny this capability, set the enablePasswordReset attribute to False.

The PasswordRecovery server control

People simply forget their passwords. For this reason, you should provide the means to retrieve passwords from your data store. The PasswordRecovery server control provides an easy way to accomplish this task.

Password recovery usually means sending the end user’s password to him in an e-mail. Therefore, you set up an SMTP server (it might be the same as the application server). You configure for this server in the web.config file, as illustrated in Listing 8-16.

Listing 8-16: Setting up the SMTP server in the web.config file

<configuration>

<system.web>

<smtpMail serverName=”localhost” serverPort=”25” from=”evjen@yahoo.com”> <fields>

<add

name=”http://schemas.microsoft.com/cdo/configuration/smtpauthenticate” value=”0” />

</fields>

</smtpMail>

</system.web>

</configuration>

245

Chapter 8

After you have the <smtpMail> element set up correctly, you can start to use the PasswordRecovery control. A simple use of the PasswordRecovery control is shown in Listing 8-17.

Listing 8-17: Using the PasswordRecovery control

<%@ Page Language=”VB” %>

<html xmlns=”http://www.w3.org/1999/xhtml” > <head runat=”server”>

<title>Getting Your Password</title> </head>

<body>

<form id=”form1” runat=”server”>

<asp:PasswordRecovery ID=”PasswordRecovery1” Runat=”server”> <MailDefinition From=”evjen@yahoo.com”> </MailDefinition>

</asp:PasswordRecovery>

</form>

</body>

</html>

The <asp:PasswordRecovery> element needs a <MailDefinition> subelement. The

<MailDefinition> element describes details about the e-mail to be sent to the end user. The minimum requirement is that the From attribute is used, which provides the e-mail address for the From part of the e-mail. The String value of this attribute should be an e-mail address. Other attributes for the

<MailDefinition> element include

BodyFileName

BodyFormat

Cc

From

Priority

Subject

When you run this page, the PasswordRecovery control asks for the user’s username, as shown in Figure 8-13.

When it has the username, the membership service retrieves the question and answer that was earlier entered by the end user and generates the view shown in Figure 8-14.

If the question is answered correctly, an e-mail containing the password is generated and mailed to the end user. If the question is answered incorrectly, an error message is displayed.

It is important to change some of your membership service settings in order for this entire process to work. At present, it won’t work because of the way in which a user’s password is hashed. The membership service data store isn’t storing the actual password — just this hashed version of it. Of course, it is useless for an end user to receive a hashed password.

246