恢复/复位通过电子邮件丢失密码选项 [英] Recover / Reset lost password options via email

问题描述

我工作的一个C＃ASP.MVC 4项目利用了DefaultMembershipProvider的，我试图拿出一个用户友好的方式来恢复/重置丢失的密码。

我第一次尝试是让用户提供用户名（这是一个有效的电子邮件地址）然后，应用程序会产生一个随机的密码（符合我们的要求），该密码，然后通过电子邮件发送给用户。

我的理想的解决方案是，当用户点击忘记密码按钮。他们被要求为自己的用户名其中规定时会导致邮件到一个URL发送（此URL也将连接到它的到期日）。该解决方案（前发送电子邮件）也复位，然后应用程序内的用户密码。当用户点击URL，它们会自动登录并发送至更改密码表单。是否有问题，这个解决方案？

有关配置我有以下值设置：

 ＆LT;会员defaultProvider =DefaultMembershipProvider＆GT;
  ＆LT;供应商＆GT;
    ＆LT;清/＆GT;
    ＆LT;添加名称=DefaultMembershipProviderTYPE =System.Web.Providers.DefaultMembershipProvider，System.Web.Providers，版本= 1.0.0.0，文化=中性公钥= 31bf3856ad364e35的connectionStringName =DefaultConnection
         enablePasswordRetrieval =假
         enablePasswordReset设置=真
         requiresQuestionAndAnswer =假
         requiresUniqueEmail =假
         maxInvalidPasswordAttempts =5
         minRequiredPasswordLength =6
         minRequiredNonalphanumericCharacters =0
         passwordAttemptWindow =10
         的applicationName =//＆GT;
  ＆LT; /供应商＆GT;
＆LT; /会员＆GT;
 

解决方案

的一切都在这里首先是两个必须阅读[我要重申，必须阅读]：

1. 您想知道的关于建立一个安全的密码重置功能一切


2. You're大概储存密码不正确

随着中说，OWASP有关于如何实现身份验证的一些准则，你可以得到他们的认证小抄，并为您的特定情况下，忘记密码小抄。这也可以说是一本必读书。如果你不打算遵循OWASP，我希望那是因为你决定，而不是因为你不知道任何好转。

总之，最好的抽象是如下（这是从上面的第一个环节采取）的形象，如果你要记住只有一件事，让它是这样的：

I am working on a C# ASP.MVC 4 project making use of the DefaultMembershipProvider and I am trying to come up with a user friendly way to recover / reset a lost password.

My first attempt was to have the user provide their username (which is a valid email address) the application would then generate a random password (meeting our requirements), that password is then emailed to the user.

My ideal solution would be that when a user clicks the forgot password button. They are asked for their username which when provided would cause an email to be sent with a URL (this URL will also have an expiration date attached to it). This solution also resets the users password inside then application (before sending the email). When the user clicks on the URL, they are automatically logged in and sent to the change password form. Are there problems with this solution?

For configuration I have the following values set:

<membership defaultProvider="DefaultMembershipProvider">
  <providers>
    <clear />
    <add name="DefaultMembershipProvider" type="System.Web.Providers.DefaultMembershipProvider, System.Web.Providers, Version=1.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35" connectionStringName="DefaultConnection" 
         enablePasswordRetrieval="false" 
         enablePasswordReset="true" 
         requiresQuestionAndAnswer="false" 
         requiresUniqueEmail="false" 
         maxInvalidPasswordAttempts="5" 
         minRequiredPasswordLength="6" 
         minRequiredNonalphanumericCharacters="0" 
         passwordAttemptWindow="10" 
         applicationName="/" />
  </providers>
</membership>

解决方案

First of all here are two must read [I repeat, MUST read]:

1. Everything you ever wanted to know about building a secure password reset feature
2. You're Probably Storing Passwords Incorrectly

With that said, OWASP has some guidelines about how to implement authentication, you can get started at their Authentication Cheat Sheet and for your particular case the Forgot Password Cheat Sheet. Which is also arguably a must read. If you are not going to follow OWASP, I hope it is because you decided to, and not because you didn't know any better.

Anyway, the best abstract is the image that follows (which is taken from the first link above), if you are going to remember only one thing, let it be this:

这篇关于恢复/复位通过电子邮件丢失密码选项的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！