ASP.NET 2.0 Unleashed

Using the PasswordRecovery Control

If a user forgets her password, then she can use the PasswordRecovery control to email herself her password. The PasswordRecovery control either sends the user's original password or resets the password and sends the new password.

The page in Listing 20.33 contains a PasswordRecovery control.

Listing 20.33. ShowPasswordRecovery.aspx

<%@ Page Language="VB" %> <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" > <head runat="server"> <style type="text/css"> .passwordRecovery { font:14px Verdana,Sans-Serif; background-color:lightblue; border:solid 3px black; padding:4px; } .passwordRecovery_title { background-color:darkblue; color:white; font-weight:bold; } .passwordRecovery_instructions { font-size:12px; text-align:left; padding:10px; } .passwordRecovery_button { border:solid 1px black; padding:3px; } </style> <title>Show PasswordRecovery</title> </head> <body> <form runat="server"> <div> <asp:PasswordRecovery Css TitleTextStyle-Css InstructionTextStyle-Css SubmitButtonStyle-Css Runat="server"> <MailDefinition From="Admin@YourSite.com" Subject="Password Reminder" /> </asp:PasswordRecovery> </div> </form> </body> </html>

After you open the page in Listing 20.33 in your web browser, you are first asked to enter your username (see Figure 20.15). Next, you are asked to enter the answer to the security question that you entered when registering. Finally, a password is emailed to your registered email account.

Figure 20.15. Retrieving a lost password with the PasswordRecovery control.

Note

Before you use the PasswordRecovery control, you must specify your mail server settings in your application's web configuration file. See the earlier section in this chapter, "Sending a Create User Email Message."

By default, the PasswordRecovery control first resets your password before sending you the password. In the next section, you learn how to send a user's original password.

Sending the Original Password

By default, the PasswordRecovery control does not send a user's original password. If you don't want the PasswordRecovery control to reset a user's password before sending it, then you must change the configuration of the membership provider. Three configuration settings matter: passwordFormat, enablePasswordRetrieval, and enablePasswordReset.

By default, the passwordFormat attribute has the value Hashed. When passwords are hashed, the PasswordRecovery control cannot send a user's original password. This limitation makes sense because when passwords are hashed, the actual passwords are never stored anywhere. If you want to send a user his original password, then you need to set the passwordFormat attribute to either the value Clear or Encrypted.

By default, the enablePasswordRetrieval attribute has the value False. Therefore, if you want to send a user his original password, you must enable this property in the web configuration file.

Finally, by default, the enablePasswordReset attribute has the value true. Regardless of the value of the passwordFormat or enablePasswordRetrieval attributes, you can always reset a user's password and email the new password to the user.

The web configuration file in Listing 20.34 contains the necessary configuration settings to enable a user's original password to be sent.

Listing 20.34. Web.Config

<?xml version="1.0" encoding="utf-8"?> <configuration> <system.web> <authentication mode="Forms" /> <membership defaultProvider="MyMembership"> <providers> <add name="MyMembership" type="System.Web.Security.SqlMembershipProvider" connectionStringName="LocalSqlServer" passwordFormat="Clear" enablePasswordRetrieval="true" /> </providers> </membership> </system.web> </configuration>

The configuration file in Listing 20.34 causes passwords to be stored in plain text rather than hashed. Furthermore, password retrieval is enabled.

Requiring a Security Question and Answer

When you use the CreateUserWizard control to register, you are required to select a security question and answer. The PasswordRecovery control displays a form that contains the security question. If you cannot enter the correct security answer, then your password is not sent.

If you do not want to require users to answer a security question before receiving their passwords, then you can modify the configuration of the membership provider. The web configuration file in Listing 20.35 assigns the value false to the requiresQuestionAndAnswer attribute.

Listing 20.35. Web.Config

<?xml version="1.0" encoding="utf-8"?> <configuration> <system.web> <authentication mode="Forms" /> <membership defaultProvider="MyMembership"> <providers> <add name="MyMembership" type="System.Web.Security.SqlMembershipProvider" connectionStringName="LocalSqlServer" requiresQuestionAndAnswer="false" /> </providers> </membership> </system.web> </configuration>

Using Templates with the PasswordRecovery Control

If you need to completely customize the appearance of the PasswordRecovery control, you can use templates. The PasswordRecovery control supports the following three types of templates:

  • UserNameTemplate

  • QuestionTemplate

  • SuccessTemplate

The page in Listing 20.36 illustrates how you can use all three of these templates.

Listing 20.36. PasswordRecoveryTemplate.aspx

<%@ Page Language="C#" %> <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" > <head runat="server"> <style type="text/css"> html { font:12px Arial,Sans-Serif; } h1 { font:bold 16px Arial,Sans-Serif; color:DarkGray; } </style> <title>PasswordRecovery Template</title> </head> <body> <form runat="server"> <div> <asp:PasswordRecovery Runat="server"> <MailDefinition From="Admin@YourSite.com" Subject="Password Reminder" BodyFileName="PasswordRecovery.txt" /> <UserNameTemplate> <h1>User Name</h1> <asp:Label EnableViewState="false" ForeColor="Red" Runat="server" /> <br /> <asp:Label Text="Enter your user name:" AssociatedControl Runat="server" /> <br /> <asp:TextBox Runat="server" /> <br /> <asp:Button Text="Next" CommandName="Submit" Runat="server" /> </UserNameTemplate> <QuestionTemplate> <h1>Security Question</h1> <asp:Label EnableViewState="false" ForeColor="Red" Runat="server" /> <br /> <asp:Label Text="Enter your user name:" AssociatedControl Runat="server" /> <br /> <asp:TextBox Runat="server" /> <br /> <asp:Button Text="Next" CommandName="Submit" Runat="server" /> </QuestionTemplate> <SuccessTemplate> <h1>Success</h1> An email has been sent to your registered email account that contains your user name and password. </SuccessTemplate> </asp:PasswordRecovery> </div> </form> </body> </html>

The UserNameTemplate must contain a control with an ID of UserName. You also can include a control with an ID of FailureText when you want to display error messages. This template also must contain a Button control with a CommandName that has the value Submit.

The QuestionTemplate must contain a control with an ID of Question and a control with an ID of Answer. Optionally, you can include a FailureText control when you want to display error messages. It also must have a Button control with a CommandName that has the value Submit.

The SuccessTemplate, on the other hand, does not require any special controls.

Notice that the PasswordRecovery control in Listing 20.36 includes a MailDefinition property that references a custom email message. The message is contained in Listing 20.37.

Listing 20.37. PasswordRecovery.txt

Here's your login information: user name: <%UserName%> password: <%Password%>

The email message in Listing 20.37 contains substitution expressions for both the username and password.

Related

Категории