Build a Password Recovery Feature for ASP .Net Websites
If you run an ASP.NET website using webforms combined with member access, you can easily add a Password Recovery feature by utilizing built-in controls. This works well on Umbraco websites using Public Access.
This article focuses on implementation using Webforms. In a future article, I will discuss how this class can be applied to sites running MVC/Razor.
What does the PasswordRecovery class do?
The PasswordRecovery class allows you to easily add a 'Forgot Password?' function to your website. This class is different from the ChangePassword class, the second article in this series.
Getting started using the PasswordRecovery class
It is important that the page that will run this control be outside of your secured section/folder. A user would not be able to access it otherwise if they have forgotten their password.
The first thing you will want to do is create a new page template to run the control. Implementation is quite easy, just add the following code to your page wherever you want the form to appear. Below is the most basic implementation.
<form runat="server"> <asp:PasswordRecovery id="PasswordRecovery1" runat="server"></asp:PasswordRecovery> </form>
This will generate a headline followed by a single input field, and a submit button with the following label:
- User Name
When submitted, the page is reloaded with either a success or failure message based on your input. If the submitted user name matches a record on file, an email will be dispatched to the user with a new password. The new hashed password is also stored, replacing the previous password.
The above might not work out of the box for you. I found that some tweaks need to be made to the web.config file to allow this control the correct permissions. The following example is the membership string used by the Umbraco CMS. Your membership string may vary.
<add name="UmbracoMembershipProvider" type="umbraco.providers.members.UmbracoMembershipProvider" enablePasswordRetrieval="false" enablePasswordReset="true" requiresQuestionAndAnswer="false" defaultMemberTypeAlias="Another Type" passwordFormat="Hashed" />
The parameter you may need to change is enablePasswordReset. It needs to have a value of 'true'. The other parameters can stay at their default values.
Lastly, this control did not work for me until I specified an outgoing email address which is required by the mail server. You can easily specify your outbound email address by adding an additional parameter named MailDefinition-From to the PasswordRecovery control.
<form runat="server"> <asp:PasswordRecovery id="PasswordRecovery1" MailDefinition-From="email@example.com" runat="server"></asp:PasswordRecovery> </form>
Additional PasswordRecovery class parameters
There are dozens of additional parameters that can be added to this control. You can control or override field labels, assign classes for styling and much more. For a complete list of all parameters and code examples, visit the PasswordRecovery MSDN page.