ASP.NET成员资格提供程序 - 重置密码功能 - 电子邮件确认和密码更改 [英] ASP.NET Membership Provider - Reset Password Features - Email Confirmation and Password Change
问题描述
有没有人有以下功能的解决方案(样品code):
Does anyone have a solution (sample code) for the following features:
- 创建一个randomGuid /密码学
强大的随机数 - 发送包含一个唯一的URL
随机数给用户的电子邮件
地址 - 当确认时,用户被要求
更改密码
我的提供商参数化是这样的:
My provider is currently parametrized this way:
enablePasswordRetrieval="false"
enablePasswordReset="true"
requiresQuestionAndAnswer="false"
applicationName="/"
requiresUniqueEmail="true"
passwordFormat="Hashed"
maxInvalidPasswordAttempts="5"
minRequiredPasswordLength="5"
minRequiredNonalphanumericCharacters="0"
passwordAttemptWindow="10"
passwordStrengthRegularExpression=""
name="AspNetSqlMembershipProvider"
这类程序的安全问题进行了讨论<一个href=\"http://stackoverflow.com/questions/2150895/resetting-asp-net-password-security-issues\">here之前。
推荐答案
瑞,我是在一个类似于船的几个飞蛾前,并没有之前曾曝光的成员提供了很大的,我挣扎着爬它正确实施,是因为我认为你必须实现和使用整个事情是,或什么都没有。
Rui, I was in a similar boat a few moths ago, and not having had a great deal of exposure to the membership provider before, I struggled to get it implemented properly, because I thought you have to implement and use the whole thing as is, or nothing at all.
好吧,我很快就发现,你只能使用其中的一部分,而不是整个对象。例如,在我的应用我有我自己的用户对象和我自己的密码和登录模块,但我需要得到窗体身份验证工作。所以我基本上只使用该部分的会员供应商。我不覆盖任何方法或什么,只是使用它的FormsAuthentication,然后我用我自己的仓库来更改密码,验证用户名密码等。
Well I soon discovered that you can only use parts of it, not the entire object. For example in my application I have my own user object and my own password and login modules, but I needed to get forms authentication working. So I basically just use the Membership provider for that part. I am not overriding any methods or anything, just use it for FormsAuthentication, then I use my own repositories to changing passwords, verifying username passwords etc.
下面是从我的MVC登录code片段。
Here is a snippet from my login code in MVC.
var authTicket = new FormsAuthenticationTicket(1, user.UniqueName, DateTime.UtcNow, DateTime.UtcNow.AddHours(2), rememberMe, cookieValues);
var encryptedTicket = FormsAuthentication.Encrypt(authTicket);
var authCookie = new HttpCookie(FormsAuthentication.FormsCookieName, encryptedTicket) { Expires = DateTime.UtcNow.AddDays(14) };
httpResponseBase.Cookies.Add(authCookie);
这使我使用FormsAuthentication.SignOut();方法等方法会员提供器提供了。
This enables me to use the FormsAuthentication.SignOut(); methods and other methods the membership provider makes available.
在你的问题再创建一个randomGuid /强加密随机数,这里是一个很好的方法,你可以使用,我发现它前一段时间,我很抱歉,但不记得在网络上
On your question re Create a randomGuid/Cryptographically strong random number, here is a good method you can use, I found it a while ago, and I am sorry but can't remember where on the web
/// <summary>
/// A simple class which can be used to generate "unguessable" verifier values.
/// </summary>
public class UnguessableGenerator
{
const string AllowableCharacters = "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789/^()";
const string SimpleAllowableCharacters = "ABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789";
/// <summary>
/// Generates an unguessable string sequence of a certain length
/// </summary>
/// <param name="length">The length.</param>
/// <param name="useSimpleCharacterSet">if set to <c>true</c> [use simple character set].</param>
/// <returns></returns>
public static string GenerateUnguessable(int length, bool useSimpleCharacterSet = false, string additionalCharacters = "")
{
var random = new Random();
var chars = new char[length];
var charsToUse = useSimpleCharacterSet ? SimpleAllowableCharacters : AllowableCharacters;
charsToUse = string.Format("{0}{1}", charsToUse, additionalCharacters);
var allowableLength = charsToUse.Length;
for (var i = 0; i < length; i++)
{
chars[i] = charsToUse[random.Next(allowableLength)];
}
return new string(chars);
}
/// <summary>
/// Generates an ungessable string, defaults the length to what google uses (24 characters)
/// </summary>
/// <returns></returns>
public static string GenerateUnguessable()
{
return GenerateUnguessable(24);
}
}
有关发送包含随机数到用户的电子邮件地址的唯一URL,你需要的是您的用户表或任何表来存储一个随机ID,然后使用一个特制的URL在电子邮件用户的方式可以用它来验证。
For Send a unique URL containing the random number to the user's email address, what you need is in your User table or any table a way to store a random id and then use that in a crafted url in an email that the user can use to verify.
这将要求您创建一个URL,将接受该类型的URL,然后你必须提取所需构成了查询字符串的部件和更新您的用户对象。
This will require you to create a Url that will accept that type of Url, and then you have to extract the parts you need form the querystring and update your user object.
有关在确认后,系统会要求用户更改密码,默认情况下在你的表强制用户更改自己的密码,一个位标志,这会派上用场后来太多,如果你需要强制用户更改密码。于是登录code查看是否此位标志时,如果是这样,它会先强制更改密码。然后,一旦用户改变了他的密码,你会变成这个标志了。
For When confirmed, the user is asked to change password, by default have a bit flag in your table that forces a user to change his password, this will come in handy later too if you need to force a user to change password. So then your login code looks to see if this bit flag is on, and if so, it will force a password change first. Then once the user has changed his password, you will turn this flag off.
希望这有助于。
这篇关于ASP.NET成员资格提供程序 - 重置密码功能 - 电子邮件确认和密码更改的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
